Asymmetrically masked multiplication

ABSTRACT

Methods and systems for masking certain cryptographic operations in a manner designed to defeat side-channel attacks are disclosed herein. Squaring operations can be masked to make squaring operations indistinguishable or less distinguishable from multiplication operations. In general, squaring operations are converted into multiplication operations by masking them asymmetrically. Additional methods and systems are disclosed for defeating DPA, cross-correlation, and high-order DPA attacks against modular exponentiation.

CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation application of U.S. patentapplication Ser. No. 15/935,279, filed Mar. 26, 2018, which is acontinuation application of U.S. patent application Ser. No. 13/835,402,filed Mar. 15, 2013, now U.S. Pat. No. 9,959,429, the subject matter ofeach of which is incorporated herein by reference in its entirety.

TECHNICAL FIELD

The embodiments described herein relate generally to systems and methodsfor performing asymmetrically masked multiplication and, additionally,systems and methods for performing modular exponentiation incryptographic systems, in a manner that is more secure againstside-channel attacks.

BACKGROUND

Simple Power Analysis (SPA) is a technique that involves directlyinterpreting power consumption measurements collected duringcryptographic operations. SPA can yield information about a device'soperation as well as key material.

Using SPA, modular squaring operations can be distinguished from modularmultiplication operations by analyzing the different power consumptionprofiles produced when modular squares and modular multiplications arecomputed. In early cryptographic devices that used separate circuits forsquaring and multiplication, power consumption differences between theseoperations could be quite large. Even when the same circuit is used forsquaring and multiplication, the power consumption profiles can besignificantly different due to the difference in computationalcomplexity between modular squaring and modular multiplicationoperations. Systems may be compromised due to secret keys being leakedif modular squares can be differentiated from modular multiplications.

The difference in power profiles between squares and multiplicationsexists even when random inputs are submitted to a general multiplicationcircuit. (In this context “squaring” means exercising the circuit tomultiply a parameter by itself.) An optimized squaring operation can befaster than a multiplication. But independent of any speedoptimizations, the computational complexity of a square—measured bycounting the number of transistors that switch during the operation—islower when averaged over many random inputs than the average complexityof many multiplications with different random inputs. Therefore, if thesame circuit performs the squaring and multiplication operations, thesquaring and multiplication operations can often be distinguished fromone another and exploited, if care is not taken to level thedifferences.

Many cryptographic algorithms, like RSA and Diffie-Hellman, involveperforming modular exponentiation. To improve speed of computation,methods have been devised to perform the exponentiation by squaring,often called “square-and-multiply” algorithms. Examples ofsquare-and-multiply algorithms for modular exponentiation includeleft-to-right square and multiply; right-to-left square and multiply;k-ary exponentiation; sliding window method; and Montgomery poweringladder.

FIG. 1A shows a square-and-multiply algorithm where b is raised to anexponent 100111010110101, corresponding to a decimal value of 20149. Thebase is denoted by b, and A is an accumulator. After initialization by1, the exponent can be built up cumulatively one bit at a time from theleft to right as (1, 0, 0, 1, 1, 1, . . . )=(1, 2, 4, 9, 19, 39, . . .). In other words, the exponent can be constructed using a series ofsteps, where each step depends on the bit in that step and the resultfrom the previous step. If the bit is 0, the operation comprisessquaring the previous result. If the bit is 1, the operation comprisessquaring the previous result and multiplying the square with the base b.If no SPA or differential power analysis (DPA) countermeasures are used,then in the left-to-right and right-to-left square-and-multiplyalgorithms for exponentiation, an attacker who can differentiate squaresfrom multiplies can determine the complete exponent being used.

FIG. 1B illustrates a power trace of the modular operations in anexponentiation scheme in which a table of various powers of b areprecomputed: b⁰, b¹, b², b³. (The value b° is equivalent to 1.) In thisscheme, there are always two squares followed by a multiplication by oneof the table entries. This square-square-multiply algorithm produces avery symmetrical power trace of two consecutive lows and one high (SSMSSM SSM SSM . . . ) in the power profile. (This is the k-arrayexponentiation algorithm, with k—the maximum number of exponent bitsthat are processed per multiplication—equal to 2.) Since the pattern ofsquares and multiplies is always SSM, regardless of the bits of theexponent, distinguishing squares from multiplies is not sufficient toreveal the key. This allows the secret key to be hidden, and may protectthe system against certain SPA attacks. However, an attacker who candistinguish one type of multiplication from another can still gaininformation about the key.

Some methods omit the multiplication by 1, or use dummy multiplicationsby another value (discarding the result) in an effort to mask the powertrace. Multiplying the previous result by 1 produces the same output asthe previous result, and thus the output does not have to be discarded.Omitting the multiplication by 1 leaves a potentially detectable SPAcharacteristic. The extra step of discarding the output of a dummyoperation might also be detectable by SPA. Even if the multiplication by1 is not omitted, the operation has low computational complexity anddoes not require much computational power. As a result, an attacker maybe able to decipher multiplications by 1 anyway based on their powerprofiles.

In FIG. 1B, for example, an attacker may be able to detect whenmultiplications by 1 occur by analyzing the power trace, and determinethat the two exponent bits at those locations are zero. (Note that inFIG. 1B, for convenience a sequence square-square-multiply-by-b^(x) isreferred to as SSX. The sequence of operations includes multiplicationsby b⁰, b³, b², b², b³, b¹, and b¹, and is therefore denoted asSSOSS3SS2SS2SS3SS1SS1.) An attacker who can identify the multiplicationsby 1 (that is, by b⁰⁰) may not be able to decode the remaining non-00exponent bits (e.g. 01, 10, or 11) using SPA because of the uniformityof the power profiles at those multiplication locations. Subsequently,the attacker may only be able to obtain approximately a quarter of theexponent bits using this approach, which may or may not be sufficient tobreak the security of the cryptosystem.

FIG. 1C illustrates the clustering of multiplications into sets based onslight differences in the power profiles for different multiplications.As stated earlier, an attacker may be able to detect the locations ofthe 00 exponent bits, but may not be able to determine the actual valuesof the non-00 bits. In other words, the attacker may not be able todistinguish whether a multiplication is by a base to the first power,second power, or third power. In practice, however, most devices usuallyhave some leakage, and each type of multiplication may display adifferent characteristic.

For example, as shown in FIG. 1C, the power profile for multiplicationoperations for bits 11 (decimal value 3) may display a tiny spike at thefront of a step. Similarly, the power profile for multiplicationoperations for bits 10 (decimal value 2) may display a tiny spike at themiddle of a step, and the power profile for multiplication operationsfor bits 01 (decimal value 1) may display a tiny spike at the end of astep. If these tiny spikes features can be observed in an individualpower trace, an attacker may be able to classify these multiplicationsinto three different sets (A, B, C) corresponding to b¹, b², b³, (orsimply “1”, “2”, “3”, although the correspondence may at first beunknown to the attacker). To further confirm the classifications, theattacker can repeat encryptions of the same message and average theresults of the power profiles over a number of exponentiations, forexample over 1000 exponentiations, to observe these fine-scaledifferences between the multiplications. If the attacker is successfulin clustering the different multiplications into sets of (A, B, C), itis relatively easy for the attacker to decipher the exponent key byperforming a search. In the example of FIG. C, there are only 6 waysthat (A, B, C) can map to (1, 2, 3), thus the exponent key maypotentially be deciphered using less than a 3-bit search.

One countermeasure to the above problem is to mask the exponent andrandomize the masking of the exponent in different computations suchthat the sequence of operations may be entirely different in asubsequent computation. For example, if the first and last operationsboth belonged to a cluster A in for the first exponent, then with thenext exponent it may be that the first operation corresponds to acluster D, while the last operation is in a different cluster, E. If theexponent is being randomized from one computation to the next, anattacker will have to be able to perform a clustering successfully (andcorrect all errors) from a single power trace, which increases thedifficulty in deciphering the exponent key. (Exponent randomizingmethods in a group with order phi(N) are well known in the backgroundart, and include such methods as using (d′=d+k*phi(N)) in place of d,splitting d into (a, b) such that a+b=d, or such that b=(d*a⁻¹) modphi(N).)

FIG. 1D illustrates the application of the sliding window algorithm tothe exponent 100111010110101 of FIG. 1B. The sliding window algorithmcan reduce the amount of pre-computation required when compared to thesquare-square-multiply exponentiation in FIG. 1B, by reducing theaverage number of multiplications performed (excluding squarings). Thus,the sliding window algorithm is more efficient and requires fewer memorylocations to store entries.

As shown in FIG. 1D, the sliding window algorithm translates thesequence SS2 (i.e. square, square, multiply by b²) into a differentsequence S1S (square, multiply by b¹, square). The sequence S1S isequivalent to bit 2 (10) because S1S comprises a square multiplier S(0)followed by 1S (10). By replacing all the SS2's with S1S's, the value 2can be omitted from the table. Thus, the sliding window algorithm allowsfor one less table entry, with the resulting table having only entries(0, 1, 3). This reduction in memory location can reduce the number ofparts required for manufacturing the device and can provide costbenefits, especially if the manufacturing of the device is sensitive tocost.

FIG. 1D further shows another way to reduce the number ofmultiplications in the sliding window algorithm. As stated earlier, thebits 0110 corresponding to SS1|SS2 can be replaced with SS1|S1S. SS1|S1Sstill uses two multiplications (each by 1). However, using the slidingwindow algorithm, the two multiplications can be reduced to only onemultiplication if the sequence SS1|S1S is translated to sequenceS|SS3|S, which has only one multiplication (by 3). From the table, it isseen that the sequence S|SS3|S also corresponds to bits 0110. Therefore,in the sliding window algorithm, the exponent does not always have to bedivided into 2-bit blocks (hence the term “sliding”), and the number ofmultiplications can be reduced by looking at each bit from left to rightalong the exponent and using the methods described above.

FIG. 1E illustrates a way of decoding the exponent in the sliding windowalgorithm based on a power profile. As indicated in FIG. 1E, in thesliding window algorithm, there is a decision point at the first bit 1,and at every subsequent non-zero bit (i.e. bit 1). The multiplicationstep in the algorithm does not occur until the decision point isreached. Depending on the next bit in the exponent, the algorithm canexecute one of the following two operations. If the next bit after thedecision point is a 0 (i.e. the 2-bit value is 10), the algorithminserts an S1S (instead of a SS2, since the table no longer has an entry2). If the next bit after the decision point is a 1 (i.e. the 2-bitvalue is 11), the algorithm inserts an SS3.

An attacker may typically see sequences of many squares in a powerprofile where a sliding window algorithm is used. With the simple binaryalgorithm, an attacker who can differentiate squares from multiplies candecode them to completely recover the exponent. With the sliding windowalgorithm, some multiplies correspond to 1 (multiplications by b¹),while others correspond to 3 (i.e. b³). Although this results in someambiguity in decoding the exponent, an attacker still knows that everysequence SSM corresponds to a two-bit section of the exponent where thelow-order bit is 1: i.e. the exponent bits are “?1”. Additionally, inany sequences of S's between M's, the attacker knows that all but thelast two S's before an M must correspond to bits of the exponent thatare 0. Together, these facts allow much of the exponent to be decoded.Furthermore, there are some cases where two M operations occur withfewer than k squares between them, which results from certain exponentbit patterns. When this occurs, it reveals additional bits of theexponent that are zero. For example, when k=3, the sequence MSM canoccur which is not possible in the straight k-ary exponentiationalgorithm. (In FIG. 1E this is characterized by high-low-high power inthe power trace.) When this pattern occurs (for the sliding windowalgorithm with only 1 and 3 in the table), it can only mean that theexponent bits were ‘1110’. This fact may in turn allow the decoding ofbits before and after the segment. A closer examination of the powerprofiles surrounding the MSM sequence in the example of FIG. 1E showsthat the MSM sequence is part of a longer sequence of SSM|SMS|SMS mustcorrespond to 111010. In other words, the attacker is able to determinethe values (3, 1, 1) at these locations. By analyzing the full powertrace in view of the above MSM sequence and S . . . SS sequences, theattacker may be able to decode one-third or possibly two-thirds of thebits in the exponent. If the attacker is able to decode at least half ofthe bits in the exponent, the attacker may be able to solve for theexponent analytically. In some cases, decoding one quarter of thebits—or even a few bits per exponentiation—may be sufficient to breakthe cryptosystem.

Furthermore, the attacker may be able to visually identify sets of 0's,1's, and 3's by averaging the power profiles over thousands ofexponentiations, and looking for characteristics at each MSM location(3, 1) and the remaining unknown multiplication locations, similar tothe method discussed with reference to FIG. 1C. In this case, theattacker may, for example, determine that out of the identified MSMlocations in the power trace, ten locations correspond to 3's, and fivelocations correspond to 1's. The attacker can then compare the knownpower profiles of 1's and 3's at these known MSM locations with theremaining unknown multiplications at other locations (for example, 200multiplications may be unknown) along the power trace. If the attackeris able to cluster the bits (0, 1, 3) into three sets, the attacker canthen decode the exponent entirely.

DPA, and Higher Order DPA Attacks

Previous attempts have been made to foil SPA by masking the exponentvalue. Masking of intermediate values in modular exponentiation can helpresist against DPA attacks. For example, in typical blinded modularexponentiation, an input can be effectively masked or randomized whenthe input is multiplied by a mask that is unknown to the attacker. Themasked or randomized input can later be unmasked at the end of theoperation. Such masking may take advantage of modular inverses, suchthat (X*X⁻¹) mod N=1. For example, (A*(X^(E)))*(X⁻¹)mod N is equal toA^(D) mod N, for exponents D and E where X^(ED)=X mod N.

Different masks are typically used for different operations, but are notchanged in the middle of a modular exponentiation. Between operations, anew mask is sometimes generated efficiently from a previous mask byusing a modular squaring. (i.e. if I=X^(E) and O=X⁻¹ are pre-computedmodulo N and stored, a new set of masks I′ and O′ can be computedefficiently by squaring with I′=I² mod N and O′=O² mod N.) However,designs in which the mask is updated only between exponentiations (andnot within a single exponentiation) can be vulnerable to DPA and higherorder DPA attacks in the form of cross-correlation attacks. Thesecross-correlation attacks are clustering attacks similar to the SPAclustering attacks described above, but employing statistical methods toidentity the clusters. In contrast to a regular DPA attack which targetsa specific parameter at one point, higher order DPA attacks target therelationship(s) between the parameters by using multiple powermeasurements at different locations in the trace to test therelationship(s). If the input parameters are the same in thoselocations, those parameters will have higher correlation, compared tothe locations in which the parameters have no relationship (i.e.different parameters). In many cases, a correlation is detectable ifeven one parameter is shared between two operations—for example, amultiplication of A₁ by B³, and the second, a multiplication of A₂ byB³. A cross-correlation attack allows an attacker to test for thiscorrelation between operations caused by shared use of a parameter.

The doubling attack and the “Big Mac attack” are two types ofcross-correlation attacks. The doubling attack is described in a paperauthored by P. Fouque and F. Valette, titled “The Doubling Attack—WhyUpwards is Better than Downwards,” CHES 2003, Lecture Notes in ComputerScience, Volume 2779, pp. 269-280. The “Big Mac” attack is a higherorder DPA attack, and is described in the paper authored by C. D.Walter, titled “Sliding Windows Succumbs to Big Mac Attack,” publishedin CHES 2001, Lecture Notes in Computer Science, Volume 2162, January2001, pp. 286-299.

The doubling attack targets designs in which the masks are updated bysquaring, and looks at the relationship between the j′th operation inthe k′th trace and the (j−1)′th operation in the (k+1)′th trace. Forexponentiation algorithms such as sliding window, the operations willshare an input if and only if the j′th operation in the k′th trace is asquare—and the correlation between variations in the power measurementsis often higher in this case.

In the “Big Mac” attack, an attacker identifies all of themultiplications in a single trace, and attempts to identify clusters ofoperations that share a multiplicand. For example, in the SSM example ofFIG. 1C, there are four types of multiplication: by 1, b¹, b², and b³.If an obvious SPA characteristic has not been found that allows themultiplications by 1 and clusters A, B, and C to be determined, anattacker may still be able to determine cluster classifications bymounting a cross-correlation attack.

The attack begins by dividing the trace into small segments, with eachsegment corresponding to a square or multiplication. The correlationbetween one multiplication and the next is calculated between the smallsegments corresponding to each operation. (A Big Mac attack can alsowork with many traces—especially if the exponent is not randomized.)

More generally, cross-correlation attacks can look for any relationshipbetween operations. If the attacker can determine the relationshipbetween the input to a particular square or multiplication, and an inputor output of some other operation, the attacker can then obtaininformation about the secret key and undermine the design's security. Asanother example, if the multiplication by 1 (in FIG. 1B) were replacedby a multiplication by another value (discarding the result), then acorrelation may appear between the output of the operation before thedummy mult and the input of the operation after the dummy. In general,an attacker can perform cross correlation attacks by analyzingcorrelation relationships across different operations that share aninput or output, or where the output of one is an input of the other.These relationships can be summarized in terms of which parameters arein common between the LHS (Left Hand Side), RHS (Right Hand Side), andOUT (output) parameters.

For example, if the same LHS (“L”) parameter is used in differentmultiplications but the RHS (“R”) parameters are different between oramong those multiplications, an L-L relationship exists between thosemultiplications.

Conversely, if the same R parameter is used in different multiplicationsbut the L parameters are different between or among thosemultiplications, an R-R relationship exists between thosemultiplications.

Furthermore, if the L parameter in one multiplication is the R parameterin another multiplication, then an L-R relationship exists between thosemultiplications.

A final category comprises of relationships where the output of onemultiplication (“O”) is the input to another multiplication. This maycorrespond to a O-L (Output-LHS), (Output-RHS), or O-O (Output-Output)relationship between those multiplications.

If a multiplier deterministically uses the above parameters in aparticular manner, then feeding the same LHS parameters into twodifferent multipliers will result in the two multipliers operating onthese parameters in the same way when combined with the RHS parameter.As a result, if there is a power leak which reveals information aboutthe LHS parameter, and if the leak can be expressed as H₁(L), anattacker feeding the same LHS parameter into the multipliers will obtainthe same H₁(L) leak and observe the similarity in the leak.

Leakage functions commonly involve a function of the L, R, or Oparameters. A typical leakage function may also leak the higher bit ofeach word of L. For example, if L is a Big Integer represented using32×32-bit words, an attacker can obtain 32 bits of information about L.This is a hash function because it is compressed and has a constantoutput size of 32 bits. However, this hash function is notcryptographically secure because an attacker can determine the exactvalues of the 32 bits, and many bits of L do not influence/affect thecompression function.

An attacker who knows 32 bits of information about L, and who feeds thesame L into a given leakage function for each bit of the word, may beable to immediately detect if there is a collision. Collisions for otherL's that are similar can also be detected because only 32 bits areneeded to be the same in order to obtain a collision.

However, if an attacker is performing a modular exponentiation andsubmitting a RAM sequence of messages to compare values at differentlocations, the probability of triggering a collision is low for the L-Lrelationship unless the values are identical. This also applies for theR-R relationship. When an attacker observes a word (or a parameter) with2 bytes that are zero in the same locations, the attacker can determinethat the word/parameter is the same between the two cases, and can thusdetermine the bytes of R that are zero. However, there may be numerousoperations in which the parameters are different and no leakage istriggered in those operations.

For example, in an L-R relationship, the two leakage functions aredifferent from each other. In some cases, the leakage function R istriggered only when the entire value of a byte is 0, and the leakagefunction L is triggered only when the entire value of the byte is 0 andthe higher bit is 0. As such, in cases where the higher bit is 1, aleakage function L will not be triggered. An attacker may also observe Ras a function of L, with the leakage function spreading the higher bitsof L over the range of the leakage of the bytes of R that occur inbetween multiplication locations. As a result, it is more difficult foran attacker to precisely exploit an L-R relationship.

Lastly, the O-L, O-R, and O-O relationships are significantly harder toexploit, although one way to exploit those relationships may be totransform the trace first before performing the correlation calculation.(The O-L and O-R correlations are particularly relevant, for example,when attacking the Montgomery Ladder exponentiation system.)

In contrast to the leakage function H₁(L) which relates to functions onthe left hand side, the leakage function H₂(R) relates to functions onthe right hand side. An attacker may be able to determine when a wholeword is zero, and distinguish a zero from a non-zero. The attacker canalso determine the bits of the higher order byte of the output, and mayeven be able to determine the entire value of the output.

FIG. 1F shows an exponentiation using the k-arysquare-and-multiply-always algorithm, where the system is vulnerable toboth a doubling attack and a clustering attack. In the example of FIG.1F, the exponent comprises of dummy multipliers (discardable multiplies)inserted between every pair of squares in an SMSSMSS . . . pattern,which results in a SMSMSMSMS . . . pattern.

As shown in FIG. 1F, the first squaring operation on input i begins fromthe leftmost bit and results in i², which is the product of The next bitcorresponds to a multiplication operation, where i² is multiplied by ito yield i³. The subsequent squaring operation on the output of theprevious multiplication results in i⁶ (which is given by i³*i³). Thefollowing is a dummy multiplication, corresponding to a blindedrepresentation (of the dummy multiplier 1). In the dummy multiplication,the output of the previous squaring operation (i⁶) is multiplied by i toyield i⁷. However, the output i⁷ from this dummy multiplication isdiscarded. In other words, the output i⁷ of the dummy multiplicationdoes not constitute input for the next squaring operation. Instead, theoutput of the previous squaring operation (i⁶) is provided as input tothe following squaring operation, which yields i¹² (given by i⁶*i⁶).

A cross-correlation attack in combination with a clustering attack maybe performed in the example of FIG. 1F. Specifically, an attacker mayperform a doubling attack by comparing an operation k+1 in a firsttrace, with an operation k in a second trace, and analyzing thecorrelation in power consumption between the operation k+1 in the firsttrace and the operation k in the second trace. The attacker can nextperform a clustering attack which is described as follows.

For example, with reference to FIG. 1F, the first multiplicationoperation comprises an L parameter (2) and an R parameter (1); and thesecond squaring operation comprises an L parameter (3) and an Rparameter (3). The correlation from the first multiplication operationto the second squaring operation can be denoted as a, comprising an L-Lcorrelation (2-3) and an R-R correlation (1-3). The L-L and R-Rcorrelations with respect to α are not expected to be significant. Also,although there is an output-input correlation, this correlation isusually difficult to detect unless an attacker specifically attacks thiscorrelation.

Next, the dummy multiplication operation comprises an L parameter (6)and an R parameter (1); and the third squaring operation comprises an Lparameter (6) and an R parameter (6). The correlation from the firstmultiplication operation to the second squaring operation can be denotedas β, comprising an L-L correlation (6-6) and an R-R correlation (1-6).As stated previously, the output i⁷ from the dummy multiplication isdiscarded. However, if the L-L correlation is significant, one wouldexpect to observe a higher correlation in the case where theresult/output from one operation is discarded (in β) than in the casewhere the result/output is not discarded (in α). Thus, an attacker maybe able to successfully perform a cross-correlation attack and aclustering attack on the exponent in FIG. 1F, even though dummymultipliers have been inserted to create a symmetricalsquare-and-multiply-always pattern (SMSMSMSMS).

With reference to FIG. 1F, it is noted that if the dummy multiplicationresults are discarded, special circuitry is required to process thediscarded data, and to control whether an output is sent to theaccumulator or whether the output is discarded. Typically, thisprocessing can also be performed using software instead of specialcircuitry. Nevertheless, the software manipulations can be vulnerable toSPA attacks because even though the sequence of squares and multipliesis the same, gaps can exist between locations where the multipliers arenot active. In those gaps, the processor is performing computations todetermine which parameter to load (or the processor may also be copyingparameter into another location). As a result, the timing of those gapsmay leak significant power. In some instances, even the standard squaresand multiplications can have significant SPA leakage, depending on thecomputations performed by the processor and the sequence of operations.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification, together with the description, serve toexplain the principles of the embodiments described herein.

FIG. 1A illustrates an exponentiation system.

FIG. 1B illustrates a power trace of the modular operations in anexponentiation scheme in which there are always two squares followed bymultiplication by one of the table entries.

FIG. 1C illustrates the clustering of multiplications into sets based onslight differences in the power profiles for different multiplications.

FIG. 1D illustrates the application of the sliding window algorithm tothe exponent 100111010110101 of FIG. 1C.

FIG. 1E illustrates a way of decoding the exponent in the sliding windowalgorithm.

FIG. 11F shows an exponentiation using the k-arysquare-and-multiply-always algorithm, where the system is vulnerable toa doubling attack.

FIG. 2A illustrates an exemplary method for performing AsymmetricallyMasked Multiplication (“AMM”) on an unmasked squaring operationconsistent with the invention.

FIG. 2B illustrates an exemplary method for performing AMM on anunmasked multiplication operation consistent with the invention.

FIG. 3A illustrates an exemplary method for performing AMM on a maskedsquaring operation consistent with the invention.

FIG. 3B illustrates an exemplary method for performing AMM on a maskedmultiplication operation consistent with the invention.

FIG. 4A illustrates an exponent, in which squaring and multiplicationoperations are performed according to each bit of the exponent.

FIG. 4B is a flow chart illustrating an exemplary method for determiningthe execution of specific masking operations in the AMM based on thesequence of squaring and multiplication operations in an exponent.

FIG. 4C illustrates in detail the steps when the method of FIG. 4B isapplied to the exponent of FIG. 4A.

FIGS. 5A and 5B illustrate exemplary methods of switching a mask valuein the middle of a computation when AMM is being performed on anexponent.

FIGS. 6A and 6B illustrate exemplary methods of countering clusteringattacks.

FIG. 6C shows an example whereby increasing the number of clusters canreduce the exploitability of leaks.

FIG. 7A shows different types of dummy multiplications, which can berandomized in an exponent.

FIG. 7B shows a blinded representation using a masking parameter, wherethe dummy multiplications are replaced with re-masking operations.

FIG. 7C illustrates an exemplary embodiment of a countermeasure to thedoubling attack in which a base is multiplied by a mask that can beextended to all the bits of the exponent.

FIG. 8A illustrates exemplary embodiments of mid-loop updates within atrace.

FIG. 8B illustrates exemplary embodiments of different mid-loop updatesbetween traces.

FIG. 8C shows how collisions between values may be detected by anattacker.

FIG. 8D shows an exemplary embodiment in which the mid-loop updateincorporates a Fibonacci number-based update moving from one trace tothe next.

FIG. 9 illustrates a block diagram of an exemplary system consistentwith the invention.

DETAILED DESCRIPTION

Reference will now be made in detail to exemplary embodiments asillustrated in the accompanying drawings. Wherever possible, the samereference numbers will be used throughout the drawings and the followingdescription to refer to the same or like parts. These embodiments aredescribed in sufficient detail to enable those skilled in the art topractice the invention and it is to be understood that other embodimentsmay be utilized and that changes may be made without departing from thescope of the present invention. The following detailed description,therefore, is not to be taken in a limited sense.

Methods and systems for masking certain cryptographic operations in amanner designed to defeat SPA attacks are disclosed herein and referredto as Asymmetrically Masked Multiplication (“AMM”). In embodiments ofAMM described herein, squaring operations are masked to make squaringoperations indistinguishable or less recognizable from multiplicationoperations. The goal in masking at least a small number of squares asmultiplications is—if they are indistinguishable from othermultiplies—to defeat simple SPA attacks, and potentially increase thedifficulty of clustering attacks.

In general, squaring operations are converted into multiplicationoperations by masking them asymmetrically. This can be achieved becausesquares are a subset of multiplication—that is, squares aremultiplications in which the LHS and RHS parameters are the same—and amasking strategy that treats the LHS different from the RHS results in amultiplication in which the two inputs are not identical. Althoughsquaring operations are a subset of multiplications, the subset alsobehaves differently from two-input multiplications in general, in termsof the number of transistors that may switch on average (over manyinputs) during the operation, and in terms of optimizations that may beapplied.

In some embodiments, AMM comprises inserting additional multiplicationsor using more multiplications than necessary in an exponentiationoperation. The approach may involve using these multiplications tomultiply a blinding factor into the exponentiation result, or to updatethe masked (blinded) representation of parameters stored in a table.

In some embodiments, AMM comprises transforming a square of an inputinto a multiplication in which a mask value may be added to one copy ofthe input and subtracted from another, and an output is obtained wherethe result is a square of the input added to some mask parameter. In oneembodiment, the mask parameter may be independent of an input value A.In some embodiments, the mask on an output parameter is efficientlytransformed into the input mask on a subsequent operation, and thereforesequences of squares may be transformed into masked multiplications,while maintaining only a small number of mask parameters.

Applying AMM to Unmasked Squaring and Multiplication Operations

FIGS. 2A, 2B, 3A, 3B, and 4A-C describe different embodiments of maskingconsistent with the principles described herein.

FIG. 2A illustrates an exemplary method for performing AMM on a squaringoperation consistent with the invention. Specifically, the method shownin FIG. 2A masks a squaring operation (A->A²) by converting the squareinto a series of intermediate addition, multiplication, and subtractionsteps to derive the final squared value. Also, the method of FIG. 2Abegins and ends with unmasked parameters (i.e. both the input and outputvalues are unmasked). It is noted that all additions, subtractions andmultiplications may be performed using modular arithmetic.

Referring to FIG. 2A, an unmasked input value A is received (step 202).Next, a mask value R and a fix value R² are defined (step 204). The fixvalue can be described as an unmasking parameter.

Next, a left-hand-side (LHS) parameter and a right-hand-side (RHS)parameter are each defined to be equal to the input A (step 206). TheLHS and RHS parameters are equal in a (or any) squaring operation.

-   -   LHS=A    -   RHS=A

Next, temporary values T1, T2, and T3 are calculated in steps 208, 210,and 212. These temporary values represent outputs of differentarithmetic operations on combinations of the above LHS and RHSparameters, mask value, and fix value. In step 208, the temporary valueT1 is calculated as the sum of the LHS parameter and the mask value R:

-   -   T1=LHS+Mask    -   ->T1=A+R

In step 210, the temporary value T2 is calculated by subtracting themask value R from the RHS parameter:

-   -   T2=RHS−Mask    -   ->T2=A−R

In step 212, the temporary value T3 is calculated by multiplyingtemporary value T1 and temporary value T2:

-   -   T3=T1*T2    -   ->T3=(A+R)*(A−R)=A²−R²

Finally, in step 214, an output is determined as the sum of thetemporary value T3 and the fix value R².

-   -   Output=T3+FIX    -   ->Output=(A²−R²)+R²=A²

As shown above, the output from step 214 is the value A², which is thesquare of the input value A. By performing the method of FIG. 2A on thesquaring operation, the left hand side and the right hand sideparameters are not identical during the multiplication in step 212,which prevents any square-based optimizations from being applied by themultiplying circuit. Furthermore, the temporary values T1, T2, and T3are effectively masked within the intermediate steps 208, 210, and 212,respectively, (i.e. their values are not directly correlated to thevalue of A) because either an R or R² value has been incorporated intoeach of these temporary values.

In some embodiments, AMM can also be performed on a multiplicationoperation as shown in FIG. 2B. Specifically, the method shown in FIG. 2Bmasks a multiplication operation (A*B) by converting the multiplicationinto a series of intermediate multiplication, addition, and subtractionsteps to derive the final multiplication value. This process of using asequence of addition, subtraction and multiplication steps around thenon-square multiplications may be important part of making the powersignature of these operations indistinguishable from AMM squares. As inFIG. 2A, the method of FIG. 2B begins and ends with unmasked parameters(i.e. both the input and output values are unmasked).

Referring to FIG. 2B, an unmasked input A and an unmasked input B arereceived (step 216), where A and B are different values. Next, a maskvalue R and a fix value (−B*R) are defined (step 218). The fix value(−B*R) is the unmasking parameter in the method of FIG. 2B.Alternatively, the fix value can be a function of A if (−A*R) is chosenas the fix value instead of (−B*R). Therefore, the fix value is always afunction of at least one of the input values.

Unlike the squaring operation in which both the LHS and RHS parametersare defined to be the same as the input value, the LHS and RHSparameters in a multiplication operation are different from each other.In step 220, a LHS parameter is defined to be equal to input A, while aRHS parameter is defined as the sum of input B and the mask value R.

-   -   LHS=A    -   RHS=B+R

Next, temporary values T1, T2, and T3 are defined. These temporaryvalues represent outputs of different arithmetic operations oncombinations of the above LHS and RHS parameters, mask value, and fixvalue. In step 222, the temporary value T1 is calculated as the sum ofthe LHS parameter and the mask value R:

-   -   T1=LHS+Mask    -   ->T1=A+R

In step 224, the temporary value T2 is calculated by subtracting themask value R from the RHS parameter. It is noted that the step 224produces an unmasked value of B (i.e. the masked RHS parameter isunmasked in step 224):

-   -   T2=RHS−Mask    -   ->T2=(B+R)−R=B

In step 226, the temporary value T3 is calculated as the product of thetemporary values T1 and T2:

-   -   T3=T1*T2    -   ->T3=(A+R)*B

Finally, in step 228, the output is determined as the sum of thetemporary value T3 and the fix value (−B*R).

-   -   Output=T3+FIX.    -   ->Output=(A+R)*B+(−B*R)=A*B

As shown above, the output from step 228 is the value A*B, which is theproduct of the input values A and B. It is noted that applying AMM to amultiplication operation may not be as efficient compared to applyingAMM to a squaring operation. This is because applying AMM to amultiplication requires a fix value (−B*R), which is a function of themask value and one of the input values. Since the fix value (−B*R)depends on the input B, (unlike the fix value R² in the method of FIG.2A), the fix value (−B*R) can be computed and stored only after thevalue of B is known. If this method is used to mask only a singleoperation, then two multiplications (in steps 218 and 226) have beenperformed to produce one output.

However, if B is a constant that will be used in many multiplications,the fix value (−B*R) may be pre-computed. For example, in someembodiments, B is defined as a constant that can be re-used throughout asequence of operations, such as in a modular exponentiation routinewhere the base B appears repeatedly on the right-hand-side (RHS). Also,in some other embodiments, the (−B*R) parameter may be pre-computedcorresponding to different powers of the base in a table based on awindowing method, such as a k-ary algorithm or sliding window algorithm.

It is further noted that masking a small number of squaring operationsusing AMM squarings can make SPA attacks on modular exponentiationsignificantly harder, if an attacker cannot differentiate a squaringwith AMM from other multiplications. As AMM squaring requires additionand subtraction steps that may be visible in the power consumption, itspower signature profile may be most similar to AMM multiplication thathas equivalent steps. Because the mask R can be random and the unmaskingvalue R² can be computed efficiently from it, the mask parameters R usedfor successive modular exponentiations may be completely independent andunpredictable. This may render a doubling attack impractical if AMMsquares. and multiplies are used for all operations in a modularexponentiation. Alternatively, a single pair of constant R and R² may beused across many computations—which still may provide security againstSPA attacks. In another variant, different mask values R and R² are usedat different points within a modular exponentiation. In another variant,the unmasking step in one operation may be eliminated or combined with(replaced by) a masking operation of a subsequent step.

Applying AMM to Masked Squaring and Multiplication Operations

As illustrated in the exemplary methods of FIGS. 3A and 3B, AMM can beapplied to a masked squaring operation (FIG. 3A), or a maskedmultiplication operation (FIG. 3B)—that is, to squaring ormultiplications whose inputs are masked by a parameter R and whoseoutputs are also masked by R.

FIG. 3A illustrates an exemplary method for performing AMM on a maskedsquaring operation consistent with the invention. Specifically, themethod shown in FIG. 3A further masks a masked squaring operation byconverting a masked square into a series of intermediate multiplication,addition, and subtraction steps to derive the final masked squaredvalue. Unlike the example of FIG. 2A, the method of FIG. 3A begins andends with masked parameters (i.e. both the input and output values usingthis method are masked). An advantage to preserving the mask in both theinput and output values is that preserving the same mask throughout theoperations is computationally more efficient. In a typical modularexponentiation routine, there will be a sequence of maskedmultiplication and squaring operations, and it is more efficient tocompute using the same mask throughout the operations rather thanrepeatedly unmask and re-mask at each subsequent operation.

Referring to FIG. 3A, a masked input value Â is received, where Â is aresult of subtracting a first mask value R from an unmasked input valueA (step 302).

-   -   Â=A−R

In step 304, a second mask value R′ is defined to be twice the firstmask value R, and a fix value (unmasking parameter) is defined to be thedifference between R² and R.

-   -   R′=2*R    -   FIX=R²−R

Next, a left-hand-side (LHS) parameter and a right-hand-side (RHS)parameter are each defined to be equal to the masked input A (step 306).

-   -   LHS=Â    -   RHS=Â

Temporary values T1 and T2 are then defined in steps 308 and 310,respectively. These temporary values represent outputs of differentarithmetic operations on combinations of the above LHS and RHSparameters, mask value, and fix value. In step 308, the temporary valueT1 is calculated as the sum of the RHS parameter and the second maskvalue R′, which is equal to 2*R:

-   -   T1=RHS+R′    -   ->T1=Â+2*R    -   ->T1=(A−R)+2*R=A+R

In step 310, the temporary value T2 is calculated as the product of theLHS parameter and the temporary value T1:

-   -   T2=LHS*T1    -   ->T2=Â *(A+R)    -   ->T2=(A−R)*(A+R)=A²−R²

Finally, in step 312, the output is determined as the sum of thetemporary value T2 and the fix value (R²−R).

-   -   Output=T2+FIX    -   ->Output=(A²−R²)+(R²−R)=A²−R

As shown above, the output of step 312 is the masked value (A²−R), whichcontains the square of the unmasked input value A. So the input wasmasked by −R, the output is masked by −R, and by performing the methodof FIG. 3A to perform the squaring operation as a multiplication inwhich the operands in step 310 are not identical. Also, each oftemporary values T1 and T2 are effectively masked within intermediatesteps 308 and 310, respectively, because either an R or R² value hasbeen incorporated into each of these temporary values. Similar to theexemplary method of FIG. 2A, the temporary values T1 and T2 in FIG. 3Ado not contain any term that is a product of A and R, and therefore R orR² is purely an additive mask.

Similarly, AMM can also be performed on a masked multiplicationoperation. FIG. 3B illustrates an exemplary method for performing AMM ona masked multiplication operation consistent with the invention.Specifically, the method shown in FIG. 3B performs a multiplicationoperation on a masked input by converting the multiplication into aseries of intermediate multiplication, addition, and subtraction stepsto derive a final masked output value. The steps in this series ofoperations are equivalent to the steps in an AMM square operation, inorder to render them hard to distinguish by SPA. Unlike the example ofFIG. 2B, the method of FIG. 3B begins and ends with masked parameters(i.e. both the input and output values are masked).

Referring to FIG. 3B, masked input values A and B are received, where Âand {circumflex over (B)} are different values (step 314). The maskedinput A is a result of subtracting a first mask value R from an unmaskedinput value A, and the masked input B is a result of subtracting thefirst mask value R from an unmasked input value B.

-   -   Â=A−R    -   {circumflex over (B)}=B−R

Next, a fix value is defined by subtracting the mask value R from theproduct of the unmasked input value B and the mask value R (step 316).This value may have been pre-computed at the time R was generated, if Bwere known at that time. Alternatively, it may be pre-computed as soonas a value B is known—and may be efficient to retain if the value B isused for more than one multiplication.

-   -   FIX=B*R−R

The fix value (B*R−R) is the unmasking parameter in the exemplary methodof FIG. 3B. The fix value (B*R−R) contains a B*R term, and thus the fixvalue is a function of unmasked input value B. Alternatively, the fixvalue will be a function of A if (A*R−R) is chosen as the fix valueinstead. Thus, the fix value is always a function of at least one of theunmasked input values A or B. It may also be computed on the fly as afunction of a masked input value Â or {circumflex over (B)}, becauseX*R−R=(X−R)*R+(R²−R), and the value (R²−R) may be pre-computed andstored when R is generated.

In step 318, a left-hand-side (LHS) parameter is defined to be equal tothe masked input Â, and a right-hand-side (RHS) parameter is defined tobe, equal to the masked input {circumflex over (B)}.

-   -   LHS=Â    -   RHS={circumflex over (B)}

Next, temporary values T1 and T2 are defined in steps 320 and 322,respectively. These temporary values represent outputs of differentarithmetic operations on combinations of the above LHS and RHSparameters, mask value, and fix value. In step 320, the temporary valueT1 is calculated as the sum of the RHS parameter and the mask value R:

-   -   T1=RHS+Mask    -   ->T1={circumflex over (B)}+R    -   ->T1=(B−R)+R=B

It is noted the temporary value T1 is the unmasked input value B. Inother words, the masked input {circumflex over (B)} (RHS parameter)becomes unmasked in step 320. However a modular exponentiation inputthat was multiplicatively blinded at the start of the computation willremain blinded at this step; only the additive value R has been unmaskedfrom it here.

In step 322, the temporary value T2 is calculated as the product of theLHS parameter and the temporary value T1.

-   -   T2=LHS*T1    -   ->T2=Â *B    -   ->T2=(A−R)*B

Finally, in step 324, the output is determined as the sum of thetemporary value T2 and the fix value (B*R−R).

-   -   Output=T2+FIX    -   ->Output=(A−R)*B+(B*R−R)=A*B−R

As shown above, the output from step 324 is the masked multiplicationresult (A.B−R), which contains the product of the unmasked input valuesA and B.

In some embodiments, the input value B (or A) that is used in the fixvalue is defined as a constant. In these embodiments, the fix value canbe computed more efficiently because it depends only on the constantinput value and the mask value (which is also constant).

In left-to-right exponentiation algorithms, the non-squaremultiplication operations typically update the value of an accumulatorwith the product of the previous contents of the accumulator by a basevalue or power of the base value, and the multiplicand is a pre-computedparameter that is constant across an exponentiation by a particularbase. In some embodiments, a pre-computed power of the fix valuecomprising a B*R−R term may be stored for each pre-computed power of thebase.

Applying AMM to an Exponent

FIG. 4A illustrates an exponent, and a sequence of correspondingsquaring and multiplication operations performed during a modularexponentiation routine. FIG. 4B shows a flowchart for preparing asequence of masks (or indexes for selecting masks) for AMM based on thesequence of squaring and multiplication operations corresponding to anexponent. FIG. 4C illustrates in detail the steps when the method ofFIG. 4B is applied to the exponent of FIG. 4A. To avoid SPA leaks, theprocess of encoding the exponent may be performed prior to theexponentiation process. Alternatively, it may be implemented during theexponentiation. The sequence of steps 402, 404, 406 may be performed inparallel rather than sequentially, to avoid timing/SPA leakage.

Referring to FIG. 4A, an exponent of a certain bit length is received.Initialization begins at the first and leftmost bit 1 in the exponent.Initialization may, for example, comprise assigning a value X to aninput A. In some instances, X can be a value 1. In others, X may be theexponentiation base B or a pre-computed power of the exponentiation baseB.

As shown in FIG. 4A, the exponent sequence 11001 can translate into thesequence of operations init∥SMSSSM, in the simple left-to-rightalgorithm. A square operation and a multiplication operation (SM) areperformed in the beginning after initialization, and also each time abit 1 is encountered. Whenever a bit 0 is encountered along theexponent, one square operations (S) is performed. Based on theaforementioned combinations, the sequence of squaring and multiplicationoperations in the exponent 11001 of FIG. 4A will be as follows afterinitialization:

-   -   1 0 0 1    -   SM S S SM        In the sequence SMSSSM, each S or M operation follows a previous        S or M, and only SM, MS, or SS transitions are observed. (The        exact transitions in SMSSSM are SM, MS, SS, SS, SS, and        SM—coming from the pairs in bold: SMSSSM, SMSSSM, SMSSSM,        SMSSSM, and SMSSSM.) In a sequence of masked AMM squares and        masked AMM multiplies, the mask and fix parameters can be set us        so that the operation flows efficiently and the output of one        masked operation can be used as the input of the next, and all        masks can be precomputed and stored at the start of the        exponentiation. As discussed above, a masked AMM with input mask        ‘A −R’ yields output ‘A²−R’ i.e. using an identical mask.        Further, a masked AMM multiply whose inputs are masked with        ‘A−R’ and ‘B−R’ produces an output masked as ‘A*B−R’. Again, the        identical mask is preserved. As a result, two operations are        defined in terms of a mask R that take masked inputs and produce        masked outputs—all defined in terms of R. These can be chained        together to produce an exponentiation that is masked from        beginning to end. The transformation of squares into AMM squares        renders them indistinguishable on average from true        multiplies—however they are only indistinguishable if the        sequence of add and subtract operations applied is also        independent of whether the operations are squares or multiplies.

FIG. 4B is a flow chart illustrating the execution of specific maskingoperations in the AMM based on the specific sequence of squaring andmultiplication operations in an exponent. Although actually following adecision tree such as this during a modular exponentiation is likely toproduce data dependent power variations, the decision tree defines anencoding strategy that in some embodiments is implemented as a sequenceof operations in constant time and with constant SPA features.

With reference to FIG. 4B, as the AMM proceeds along the length of theexponent from left to right, the method determines which masking stepsto insert between consecutive two operations, based on whether the twooperations are the pair SM, MS, or SS. In step 402, the methoddetermines if two consecutive operations in the exponent consist of amultiplication operation and a square operation (i.e. MS). If theoperations are MS, the following masking steps are performed between themultiplication (M) and the square (S), as shown in step 403:

-   -   LHS+=X*R²+R    -   RHS+=X*R²−R

X is the value that is assigned to an input (e.g. an input A) and R isthe mask value.

In step 404, the method determines if the two consecutive operations aresquares (i.e. SS). If the operations are SS in step 404, the followingmasking steps are performed between the consecutive squaring operations,as shown in step 405:

-   -   LHS+=R²+R    -   RHS+=R²−R

In step 406, the algorithm determines if the two consecutive operationsin the exponent consist of a square operation and a multiplicationoperation (i.e. SM). If the operations are SM in step 406, the followingsteps are performed between the square (S) and the multiplication (M),as shown in step 407:

-   -   LHS+=R    -   LHS−=R

In step 407, a dummy value is added and then subtracted between thesquare (S) and the multiplication (M). In the example shown above, thedummy value is designated as the mask value R. However, the dummy valuecan be any value, since step 407 is essentially a dummy addition andsubtraction step.

FIG. 4C shows in detail the steps when the method of FIG. 4B is appliedto the exponent of FIG. 4A. Specifically, FIG. 4C illustrates theexecution of specific masking operations in the AMM based on thesequence of squaring and multiplication operations in the exponent ofFIG. 4A. As shown in FIG. 4C, the squaring operations are converted intoa series of multiplications and addition/subtraction steps, whicheffectively masks the squaring operations. The equations in FIG. 4C arebased on C programming language syntax, whereby the result from aprevious step forms the input A to a next step.

With reference to FIG. 4C, the accumulator A is first initialized instep 408, with the value X, according to the first bit of the exponent11001 of FIG. 4A. The following calculations are performed on the LHSand RHS parameters, in step 409:

-   -   LHS+=R->LHS=X+R    -   RHS+=R−>RHS=X−R

Next, a squaring operation is performed in step 410, using the LHS andRHS parameters calculated in step 409:

-   -   Square: LHS*RHS=(A+R)*(A−R)=(X+R)*(X−R)->X²−RR [Result]

In the example of FIG. 4C, the first and leftmost bit 1 corresponds to asquare and multiplication (SM). As stated previously with reference toFIG. 4B, a dummy value is added and then subtracted between a square (S)and multiplication (M). Therefore, a dummy addition and subtraction stepis performed on the result of step 410 in step 411, as shown below:

-   -   LHS+=R->LHS=(X²−R²)+R    -   LHS-=R->LHS=((X²−R²)+R)−R=X²−R² [Result]

Next, a multiplication operation is performed in step 412, using theresult from step 411.

-   -   Multiplication: (X²−R²)*(X)->X³−X R² [Result]

As shown in FIG. 4C, the second bit is a 1, and corresponds to amultiplication and square (MS). As stated previously with reference toFIG. 4B, if the operations are MS, the following calculations areperformed between the multiplication (M) and the square (S):

-   -   LHS+=X R²+R    -   RHS+=X R²−R

In step 413 of FIG. 4C, the above calculations are performed on the LHSand RHS parameters using the result of step 412 as shown:

-   -   LHS+=X R²+R->LHS=(X³−X R²)+(X R²+R)=X³+R    -   RHS+=X R²−R->RHS=(X³−X R²)+(X R²−R)=X³−R

Next, a square operation is performed in step 414 using the LHS and RHSparameters computed in step 413:

-   -   Square: LHS*RHS=(A+R)*(A−R)->(X³+R)*(X³−R)=X⁶−R² [Result]

In the example of FIG. 4C, the third bit of the exponent is a 0, andcorresponds to two squares (SS). As stated previously with reference toFIG. 4B, if the operations are SS, the following calculations areperformed between the consecutive squaring operations:

-   -   LHS+=R²+R    -   RHS+=R²−R

In step 415 of FIG. 4C, the above calculations are performed on the LHSand RHS parameters using the result of step 414 as shown:

-   -   LHS+=R²+R->LHS=(X⁶−R²)+(R²+R)=X⁶+R    -   RHS+=R² R->RHS=(X⁶−R²)+(R²−−R)=X⁶−R

Next, a square operation is performed in step 416 using the LHS and RHSparameters computed in step 415:

-   -   Square: LHS.RHS=(A+R)*(A−R)->(X⁶+R)*(X⁶−R)=X¹²−R² [Result]

In the example of FIG. 4C, the fourth bit is a 0, and corresponds to twosquares (SS). Subsequently, the following calculations are performed instep 417 using the result from step 416:

-   -   LHS+=R²+R->LHS=(X¹²−R²)+(R²+R)=X¹²+R    -   RHS+=R²−R->RHS=(X¹²−R²)+(R²−R)=X¹²−R

Next, the square operation is performed in step 418 using the LHS andRHS parameters computed in step 417:

-   -   Square: LHS*RHS=(A+R)*(A−R)->(X¹²+R)*(X¹²−R)=X²⁴ −R² [Result]

The last bit of the exponent in the example of FIG. 4C is a 1, and thiscorresponds to a square and multiplication (SM). Therefore, a dummyaddition and subtraction step is performed on the result of step 418 instep 419, as shown below:

-   -   LHS+=R->LHS=(X²⁴−R²)+R    -   LHS−=R->LHS=((X²⁴−R²)+R)−R=X²⁴−R² [Result]

As shown in FIG. 4C, a final multiplication operation is performed instep 420, using the result of step 419.

-   -   Multiplication: (X²⁴ −R²)*(X)->X²⁵ −X R² [Result]

From the example of FIG. 4C, one can observe that all the squaringoperations in the exponent have been converted into multiplicationsusing AMM.

In some embodiments, AMM can be applied to an exponentiation that usesthe sliding window algorithm. In these embodiments, the squares aremasked by conversion into multiplications, and some of the originalmultiplications can also be masked, as described previously withreference to FIGS. 4B and 4C. A square remains a square in terms ofwhere it fits into the exponentiation scheme. However, if a square isimplemented as a multiplication, an attacker may mistake the square fora 1 or a 3 (eg. in an MSM sequence in the sliding window algorithm), andthis may foil the attacker's decryption strategy.

In some embodiments, AMM can be applied to a small number of squares,and replaces these squares with true multiplications in which the resultis not discarded (unlike a dummy multiplication where the result isdiscarded). Most of the remaining unmasked squares in these embodimentswill continue to have optimized squares. An attacker may not be able todistinguish the masked squares from the unmasked squares using aclustering attack.

in another embodiment, AMM may be performed immediately after amultiplication, and this produces an MM sequence (two consecutivemultiplications). The MM sequence typically does not occur in any of thestandard exponentiation algorithms. Thus, the MM sequence can be used toconfuse an attacker.

In a further embodiment, AMM may be used to produce a pattern thatappears in the form SMSMSMSM, for example by converting the third S inthe sequence SMSSSMS into an AMM . . . This allows as many dummy ormasked squares to be inserted into the sequence without creating an MMsequence. The symmetrical pattern may lead an attacker to believe that abinary algorithm is being employed. However, since many of themultiplications are in fact squares, the number of raw ‘S’ operations isshorter than what the attacker would expect in the binaryexponentiation. As a result, the attacker has to be able to recognizethe AMM operations and distinguish the masked squares from the truemultiplies to decode the exponent.

Switching Mask Values Mid-Computation

In some embodiments, additional multiplications are used during anexponentiation to change the value of a mask or blinding factor. Thesemultiplications may provide resistance to SPA attacks that augments orcompliments AMM squares. These multiplications may be used to update acached AMM mask. They may also be used to update or change the value ofa blinding factor that is masking the exponentiation base. Additionallythis technique may be used to provide resistance to higher order DPAattacks. In the background art, when a blinding factor is applied to thebase at the beginning of a modular exponentiation (or prior to it), theblinded value becomes the base for future multiplications (and, withcache-based methods such as k-ary and sliding window algorithms, forentries in a cache). But cross correlation attacks may identify sets(clusters) of multiplications that all use the same, blindedmultiplicand. Using multiplications by a re-blinding factor to update acached base (or all cached multiples of a base) can double the number ofclusters an attacker must identify in a cross-correlation attack. Someembodiments of this invention also store the blinded value of 1 in atable of cached powers (corresponding to the exponent bit 0, or k 0s).When all entries in the cache are masked with a same blinding factor,then the inverse factor (the “unblinding” value) may be calculatedwithout requiring knowledge of high-level secrets like the exponentvalue. Embodiments of this invention can render cross correlationattacks harder, and achieve partial resistance against DPA attacks (inaddition to the primary SPA resistance for squares and multiplications).FIGS. 5A and 5B illustrate exemplary methods for switching a mask valuein the middle of a computation when AMM is being performed inexponentiation.

In the method of FIG. 5A, R′ is a new mask value. To switch from R toR′, the inverse of R needs to be computed, and the input valuemultiplied with R′. The inverse of R may be determined by calculatingthe multiplicative inverse of R within the group being used for themultiplications (e.g. the group modulo P).

Depending on which modular exponentiation routine is being used, eachentry X in the cache (corresponding to a power of the base) is stored insome embodiments using two values (for example, U and V). Having twomasked values for each base may result in a large number of pre-computedbases, which can increase memory requirements for the system. Forexample, in a sliding window with 16 entries (or more commonly 32 or 64entries), twice as many registers may be used to store U and V maskedrepresentation of the table. The values of R and its inverse maypre-computed and stored, along with the table. When updating the mask,in the example of FIG. 5A, a new mask value R′ and the inverse maskvalue (inverse of R) must be computed for the group—but these values(particularly the inverse of R) can be computed once during the updateprocess and reused when updating all entries in the cache. Note that themethod of maintaining separate U and V values is entirely optional, asthe value of U can be calculated from V by adding in twice the value ofR—and that some embodiments of the invention do not store U in thecache, and perform updates only on V

As shown in FIG. 5A, values U and V are received in step 502, where thevalues U and V are different masked representations of an input value X.Assuming the operations in the example of FIG. 5A take place between amultiplication and a square (MS) in which the outputs are masked as inFIG. 4.C, then U and V will be designated as shown in step 503:

-   -   V=XR²+R    -   U=X R²−R

Next, the inverse of R is calculated (or retrieved) in step 504.

In step 506, an update step is performed mid-computation to switch themask value from R to R′ for the value V. The details of the update step506 are shown in the series of calculations 507 of FIG. 5A:

V−=R->V=(X R²+R) −R=X R²

V*=R′->V=(X R²)R′

V*=R′->V=(X R²R′)R′

V*=inv(R)->V=(X R²R′R′)(inv(R))=XRR′R′

V*=inv(R)->V=(XRR′R′)(inv(R))=XR′R′

V+=R′->V=XR′R′+R′

Similarly, in step 508, an update step is performed mid-computation toswitch the mask value from R to R′ for the value U. The details of theupdate step 508 are shown in the series of calculations 509 of FIG. 5Aas follows:

-   -   U+=R->U=(X R²−R)+R=X R²    -   U*=R′->U=(X R²)R′    -   U*=R′->U=(X R² −R′)R′    -   U*=inv(R)->U=(X R²R′R′)(inv(R))=XRR′R′    -   U*=inv(R)->U=(XRR′R′)(inv(R))=XR′R′    -   U−=R′->U=XR′R′−R′

In FIG. 5A, the update step to switch from R to R′ comprises the seriesof multiplication and addition/subtraction steps as shown, which caneither be performed in a single memory location (cache entry) or inmultiple memory locations (cache entries). After the update step 506 iscompleted, the masked value V=X R²+R is transformed into V=XR′R′+R′mid-computation, where R′ is the new mask value. Similarly, the maskedvalue U=X R²−R undergoes the update step 508 to transform to U=XR′R′−R′mid-computation.

FIG. 5B illustrates another exemplary method of generating a new maskvalue without requiring computation of the inverse of the original maskvalue. The exemplary method in FIG. 5B may be more efficient than themethod in FIG. 5A, because the modular multiplicative inverse of Rmodulo base (P) does not have to be computed in the example of FIG. 5B.Instead, the new mask value {circumflex over (R)} is simply defined asthe square of R. In addition, the input U is updated together with V inthe method of FIG. 5B, without requiring additional multiplications.(This example is an alternative to the method of FIG. 5B in whichseparate multiplications are used when updating U.)

As shown in FIG. 5B, values U and V are received in step 510, where thevalues U and V are different masked representations of an input value X.Assuming the operations in the example of FIG. 5B take place between amultiplication and a square (MS), then U and V will be designated asshown in step 511:

-   -   V=X R²+R    -   U=X R²−R

Next, the new mask value {circumflex over (R)} is defined as the squareof the original mask value R:

-   -   {circumflex over (R)}=R²

In step 514, an update step is performed mid-computation to switch themask value from R to {circumflex over (R)} for the values U and V. Thedetails of the update step 514 are shown in the series of calculations515 of FIG. 5B as follows:

-   -   V−=R->V=(X R²+R)−R=X R²    -   V*={circumflex over (R)}->V=(X R²)(R²)=X R⁴    -   U=V−R²->U=X R⁴−R²

V+=R²->V=X R⁴+R²

In contrast to the method of FIG. 5A, the method of FIG. 5B requiresfewer number of computational steps and does not require calculation ofthe inverse mask value. Therefore, the method of FIG. 5B iscomputationally more efficient than the method of FIG. 5A, and alsorequires fewer memory registers.

Switching LHS and RHS Parameters to Increase Number of Clusters

FIG. 6A illustrates an exemplary method of countering clusteringattacks. Specifically, the method of FIG. 6A switches the LHS and RHSparameters to increase the number of clusters to counter againstclustering attacks. Some embodiments of the invention employ hardwaremultiplication circuitry in which the LHS and RHS parameters are handledthrough different circuit paths, and where side channel leakage mayreveal a different pattern of variations depending on whether an inputis on the left hand side or the right hand side. In some embodiments,the method of FIG. 6A can be used in conjunction with any of theexemplary methods described with reference to FIGS. 2A-B, 3A-B, 4A-C,and 5A-B. When employing LHS and RHS swapping together with AMM squares,many embodiments perform the asymmetric masking first and the LHS-RHSassignment second, as swapping the elements has less benefit when theinputs are identical.

In step 602 of FIG. 6A, the LHS parameter is designated as the base, andthe RHS parameter is designated as the accumulator. The output is thencalculated by multiplying the LHS parameter (base) and the RHS parameter(accumulator) in step 604. It is noted that in typical multiplicationsin a modular exponentiation, the exponentiation intermediate (which maybe called the “accumulator”) is multiplied by a value which may be theexponentiation base or a table entry corresponding to a precomputedpower of base (or one). In modular exponentiation, the exponentiationintermediate would be loaded into the side designated as theaccumulator, and the table entry (base or power of the base) would beloaded into the side designated as the base.

Instead of always having an input A on the LHS (the accumulator) and thebase on the RHS, both sides (LHS and RHS) may be switched duringcomputation, such that the RHS becomes the accumulator and the LHSbecomes the base (as shown in step 606 of FIG. 6A). The output is thencalculated by multiplying the switched LHS and RHS parameters (step608). As shown in step 608, the output is now the product of the LHSparameter (accumulator) and the RHS parameter (base). Subsequentoperations after the switch will be based on the switched LHS and RHSparameters.

As shown in FIG. 6A, the assignment of the accumulator and themultiplicand (base) parameters to the LHS and RHS of the multiplicationcircuit can be switched during computation. For example, at the start ofeach multiplication, inputs could be assigned to the LHS or RHS atrandom. Alternatively, in some embodiments, the inputs are assigned toLHS and RHS by a predetermined non-random sequence. This may rendercross-correlation (clustering) attacks more difficult. Instead of havingonly one cluster pertaining to input X, a new cluster relating toanother input X′ is created when the LHS and RHS parameters areswitched. The squaring and multiplication operations will appeardifferently in the power traces between these two clusters, and this canprovide resistance against high-order DPA attacks.

In some embodiments, the switching of the LHS and RHS parameters cancontinue throughout the computation at either fixed or random intervals.Even though there will be only two clusters regardless of the number oftimes the sides are switched, an attacker will still have to determinewhich operations fall into which cluster, in order to successfullyperform a clustering attack.

Negation of Parameters to Increase Number of Clusters

FIG. 6B illustrates another exemplary method of countering theclustering attacks described above. Specifically, the method of FIG. 6Bemploys the negation of one or more input parameters to increase thenumber of clusters for resistance against clustering attacks. Someembodiments of the invention employ multiplication circuitry in which avalue P−X can be validly represented and is different from X, and wheremultiplication by X′=P−X reveals different leakage in a side channelthan multiplication by X. In some embodiments, the negating method ofFIG. 6B is used in conjunction with the switching method of FIG. 6A tofurther increase the number of clusters. In some embodiments, the methodof FIG. 6B are used in conjunction with one or more of the exemplarymethods described with reference to FIGS. 2A-B, 3A-B, 4A-C, and 5A-B.The negating method of FIG. 6B may be used when the operation is asquare (In₁ equals In₂) or a multiply (In₁ does not equal In₂). It isnoted that when employing the method of FIG. 6B with a square to negateone and only one of the input parameters, the result is a multiplicationin which the LHS and RHS parameters are not identical, which although itis not masked, may provide some of the benefits against SPA attacks thatthe AMM squares provide.

In the method of FIG. 6B, negating a number is a modular operation andis performed by subtracting the number from the input prime P. An outputvalue that is a negative number can be negated again to obtain acorrected positive output value. For example, if the output is negative,the output can be subtracted from P to obtain the correct output. Insome embodiments, the value is multiplied by negative 1 to obtain thepositive output.

In step 610 of FIG. 6B, the LHS parameter is designated as In₁ and theRHS parameter designated as In₂. The output is calculated by multiplyingthe LHS parameter and the RHS parameter in step 612.

Next, one or more parameters are negated (step 614). In onemultiplication, the LHS parameter is negated (step 616), and is givenby:

-   -   LHS=P−In₁

In a different multiplication employed within the same modularexponentiation, the RHS parameter is negated (step 618), and is givenby:

-   -   RHS=P−In₂

In some embodiments of the invention, at yet another multiplicationwithin the same modular exponentiation, both the LHS and RHS parametersare negated (step 620), and are given by:

-   -   LHS=P−In₁    -   RHS=P−In₂

After the negating step, the output is calculated by multiplying the LHSand RHS parameters (step 622). If only one of the LHS or RHS parametershas been negated (e.g. step 616 or step 618), the output is a negativenumber. The output is a positive number when both the LHS and RHSparameters have been negated (step 620), and it is also positive inmultiplications where neither the LHS nor RHS parameter was negated.

Depending on the total number of negations in the multiplication, an endresult may be negative or positive. At step 624, it may be determinedwhether the calculated output of step 622 is a positive number or anegative number. In the optional step 626, if the output is a negativenumber, the corrected positive output is calculated. In some embodimentsthis is performed by subtracting the output from P. In some embodimentsthe output may be negated by multiplying it by a negative number (e.g.−1, or P−1) to obtain a positive number (step 626). If the output is nota negative number (i.e. the output is positive), the output is of thecorrect polarity and there is no need to negate it. When the output ofthe operation (or a descendant output) becomes the input to a squaringoperation—as is often the case in embodiments that are implementing partof a modular exponentiation—then it is not necessary to make the signpositive. The result of the subsequent square will be positiveregardless of whether the sign of its input was positive or negative.Correcting the sign is only necessary when no further squarings will beperformed on the value during the exponentiation.

Thus, the LHS and RHS parameters can be negated in a number of waysusing the method of FIG. 6B to produce more clusters, as shown in thefollowing four quadrants:

LHS = In₁ LHS = P − In₁ RHS = In₂ RHS = In₂ LHS = In₁ LHS = P − In₁ RHS= P − In₂ RHS = P − In₂

In some architectures, the above four quadrants may appear as twodifferent clusters because leakage may either be dominated by the LHS orthe RHS. In situations where this is anticipated, some embodimentsemploy only two of the four quadrants. Two-quadrant embodiments that usequadrants on a diagonal (i.e. the “+,+ and −,−” or “+,− and −,+”) willobtain two clusters regardless of whether the leakage is dominated bythe LHS. or the RHS parameter. As noted above, when applied to a square(i.e. where In₁ equals In₂), a two-quadrant embodiment that uses onlythe “−,+ and +,−” cases results in squares in which the LHS and RHSparameters are not identical and thus the side channel leakage from themultiplier may appear different from a square in many embodiments.

As stated previously, increasing the number of clusters (such asdoubling or quadrupling the number of clusters) in a clustering problemprovides greater resistance against a cross-correlation and otherclustering high order attacks. In addition, performing subtraction stepsto render numbers negative is a method which complements AMM, becauseAMM also contains many addition and subtraction steps. As a result, itmay be difficult for an attacker to keep track of which step is anaddition or subtraction contributing to AMM, and one that isimplementing randomized negation.

It is noted that in some instances, an attacker may be able to detectdummy additions and subtractions (such as in step 419 of FIG. 4C) due tosmall timing differences in the power traces. However, negating anoperand is an actual subtraction, not a dummy subtraction. Thus,negative numbers provide another level of security by incorporating adifferent type of subtraction relative to dummy subtractions.

In some embodiments, the negation of parameters is performed randomly.In other embodiments, the negation of parameters is be performed on aregular schedule (for example, every other multiplication is madenegative, and the result of the final multiplication is alwayspositive).

As stated previously, in some embodiments, the negating method of FIG.6B is used in conjunction with the switching method of FIG. 6A tofurther increase the number of clusters. In these embodiments, switchingthe LHS and RHS parameters doubles the number of clusters, and adding innegations doubles the number again. This can quadruple the number ofclusters, leading to a significant increase in the number of clusters inthe clustering problem that an attacker has to solve.

In some embodiments, the negating method and switching method are usedin conjunction with AMM, and this provides a countermeasure that iscomplementary to Joint Message and Exponent Blinding (JMEB), which isdiscussed in further detail below.

FIG. 6C shows an example whereby switching parameters from the left sideto the right side can be effective in breaking correlations, because theswitching increases the number of clusters that an attacker has todecode.

As noted previously, it may be difficult for an attacker to exploit thecorrelation in the L-R relationship. Even if the attacker has determinedall the entries in cluster A and which clusters (e.g. B, C, and D) theother entries fall into, the attacker may still have difficultydetermining which cluster is a prime (A′, B′, C′, and D′) when theparameters have been switched.

In a cluster comprising entries A*B's and A*A's where the B's are alwayson the right hand side, if an attacker performs a cross correlationattack on the cluster, the attacker may succeed because the entries inthe cluster have an R-R correlation. However, switching half of theentries in the cluster to the left hand side will form a new clusterL-L, and result in two clusters. An attacker may be able to determinewhich entries are in the L-L cluster if the attacker performs asufficient number of power traces. However, it may require many moretraces for the attacker to determine the R-L correlation between theentries in the two clusters, particularly if the entries are part of asame family.

The decoding problem increases in difficulty when the entries includemultipliers by A*C. Similarly, the entries A*C and C*A can have eitherR-R or L-L correlations.

In some embodiments, using a loop structure that masks intermediates canincrease the number of clusters and reduce the exploitability of leaks.

FIG. 6C illustrates a hypothetical case in which there are four clusters(1, 2, 3, 4), and where entries A*B belong to cluster 1, entries A*Cbelong to cluster 2, B*A belong to cluster 3, and C*A belong to cluster4. To solve for the exponent, an attacker has to determine to whichcluster the respective entries belong. As shown in FIG. 6C, one way toreduce the exploitability of leaks is to switch the parameters from theright hand side to the left hand side. The switching increases thenumber of clusters, and possibly reduces the exploitability of leaks.

It is noted that certain word-oriented multiplication architectures rundetectably faster if one of word of an input operand is zero. However,because the L and R parameters are processed differently, the leakagerates for those two parameters are likely to be different. For example,suppose the leakage function H(LHS,RHS) reveals information about theinput operands in a multiplication, and suppose that H(LHS,RHS,OUT) canbe expressed entirely as the concatenation of an H₁(LHS) that leaks onlyinformation about LHS, with an H₂(RHS) that leaks only information aboutRHS, and a function H₃(OUT) that leaks information about the output.Consider the case where the leakage function H₁(LHS) reveals the highestorder bit of each word of LHS, in a 32-word representation; and considerthe case where the leakage function H₂(RHS) reveals, for each byte ofRHS, whether that byte is zero. In this example, H₁(LHS) reveals 32 bitsof information about LHS, while the amount of information that H₂(RHS)reveals about RHS is variable, depends on the value of RHS, andpotentially reveals the entire value of RHS (e.g. in the case whereRHS=0). Thus, 32 bits of information about LHS and some informationabout RHS can be obtained.

Because more information relating to one side may be obtained comparedto the other (e.g. more bits of information may be obtained about LHSthan RHS), it is commonly observed that one of the leakage functions(either LHS-LHS or RHS-RHS) can leak more than the other. For example,the leakage function on the LHS-LHS side may leak more than the leakagefunction on the RHS-RHS side, or vice versa. This can translate to oneof the leakage functions requiring, e.g., ˜10,000 operations todetermine whether two sets of multiplications belong to the samecluster, whereas given the other leakage function it may only require,e.g., 100˜1,000 operations to make the same determination. On the otherhand, resolving a LHS-RHS relationship can require many more, e.g., amillion operations, since the information leaked about the LHS and RHSparameters is different, which makes it harder to determine whether theyare identical. In addition, a third type of cross-correlation attackrequires detecting whether the output of one operation is the input to asubsequent operation. In general, H₃(OUT) is quite different from H₁( )and H₂( ), and this similarly makes testing for identity difficult.Resolving a relationship in which the output of one operation is theinput to a subsequent operation can require millions of operations todetermine, because of the even lower degree of similarity between thosefunctions. It is thus observed that the leakage rates are different foreach leakage function, and that the amount of information that's usefulin detecting similarity depends not only on the leakage rates but on thestructure of the relationship between leakage functions.

In a modular exponentiation example in which all multiplications by acached power of the base (the multiplicand) place that multiplicand onthe right hand side, the primarily R-R correlations that will be usefulto identify the clusters. On the other hand, if the same circuit wereused to implement this modular exponentiation, but the multiplicands arealways placed into the left hand side, then L-L correlations must beexploited to solve the clustering problem. In general, because the H₁( )and H₂( ) are different leakage functions, one of these problems islikely to be harder to solve than the other. A designer may not know inadvance which correlation is easier to exploit. Employing thecountermeasures of FIG. 6A and FIG. 6B requires the attacker to solvesome clusters of each kind—and regardless of which clustering problem isharder to solve, roughly half of the multiplications will be part of a“harder” clustering problem.

For example, if a manufacturer produces a smart card with all L-Lcorrelations and another smart card with all R-R correlations, it may beeasier to hack into one card than the other because of the difference inleakage between the two cards. The reason behind one card leaking morethan the other is because the parameters are computed in different waysby the circuit. The designer, however, does not know in advance how thecircuit computes the parameters and which card has more leakage.Furthermore, it is difficult to design both cards (one with L-Lcorrelations and the other with R-R correlations) to leak exactly thesame amount. Therefore employing a mixture of L-L and L-R clusters islikely to leave an attacker with a number of hard clusters to detect—andwill reduce the number of examples in each cluster.

As stated previously, one countermeasure is to increase the number ofclusters by switching the parameters. For example, if one clustercomprises entries with L-L relationships and another cluster comprisesentries with R-R relationships, and the R-R relationships are moredifficult to decode than L-L relationships, the security of the systemwill depend largely on the entries having the R-R relationships, and onthe difficulty of mapping L's to R's in the entries having L-Rrelationships.

Thus, in the types of clustering problems described above, aclose-to-secure implementation may be obtained when an attacker is notable to determine half of the entries in the clusters after the entrieshave been switched from the right hand side to the left hand side(increases the number of clusters). In addition, negating half of theparameters (e.g. the L-L cluster) can further split the clusters intomore clusters. For example, assuming that the L-L clusters have veryhigh leakage and the L-L clusters have been split into an L-L positivecluster and an L-L negative cluster, an attacker may be unable todetermine that the L-L positive cluster and the L-L negative cluster infact belong to the same original L-L cluster. As the result, theattacker may be unable to merge the two clusters (L-L positive and L-Lnegative) into one cluster.

When designing the card, system designers often consider ways tomitigate the leakage rate between clusters. They typically attempt toeliminate all leakage—or as much as is cost-effective to eliminate. Butsome leakage may get through, and embodiments of this invention employ acombination of multiplication hardware with control circuitry orsoftware for supplying inputs to the multiplication hardware in a waythat partially mitigates leakages. In practice, the leakage rate isusually not the same in L-L and R-R clusters. As a result, one often hasto rely on the more secure side (L or R) to protect the system.

In summary, switching the parameters from the right hand side to theleft hand side and negating the clusters can increase the number ofclusters and reduce the exploitability of leaks.

Masking Intermediate Values

Masking of intermediate values in modular exponentiation can prevent DPAattacks. For example, in typical blinded modular exponentiation, aninput can be effectively masked and randomized when the input ismultiplied by a mask (or blinding factor) that is unknown to theattacker. The masked and randomized input can later be unmasked(unblinded) at the end of the operation. As mentioned previously, onecommon way of doing this (for exponentiation with for example the RSAdecryption) is to compute the decryption of a C (i.e. M=C^(D) mod N)using a mask value U by finding (B=1/U^(E) mod N), letting C′=C*B mod N,computing T=(C′)^(D) mod N, and finally M=(T*U) mod N. In that previousexample, the blinding factor B and unblinding factor U can be computedprior to an exponentiation (cached), and the relationship betweenblinding factor and unblinding factors depends on N and the encryptionexponent E. Because the blinding factor is applied once and not changedduring the exponentiation, many multiplications during theexponentiation may take place using a shared value—a power of C′—a factthat may be detectable with a cross correlation (clustering) attack.This section describes embodiments that use additional multiplicationsduring an exponentiation loop in a way that changes a masked or blindedvalue, and thereby provides resistance to high-order DPA attacks. Insome embodiments, the value of 1 stored in a cache is multiplied by ablinding factor X (which may be the same as an input blinding factor B,or may be different). Multiplications involving the maskedrepresentation of 1 are really influencing the value in the accumulator(i.e. are not dummy multiplications). These multiplications also providea major benefit against SPA, as the output of the modular exponentiationstep (prior to an unmasking step) the product of a power (D) of theinput base and a power (Alpha) of X—but the two powers may not beidentical. The unmasking parameter now depends on the power Alpha. Insome embodiments, as will be seen below, other entries in a cache arealso masked by X, and as a result the exponent Alpha is a function ofthe structure of the loop and is independent of D.

As shown in FIG. 7A, F is a blinded representation of 1 using a maskingparameter X, where the operation yields an output i⁶*(X) that is theproduct of a power of the base with a power of the mask. The result ofthis multiplication is stored in the accumulator and becomes an input tosubsequent squares (and multiplies), in contrast to the exponent valueof 7 (given by i⁶*i¹) as shown in FIG. 1L. At each subsequent stage inthe example of FIG. 7A, the accumulator continues to hold a value thatcan be expressed as a product of the base (i) raised to some power(which is a prefix of D) with the mask (X) raised a different power(which is a prefix of Alpha). Bits of the exponent Alpha are nonzero atleast in cases where the corresponding window of bits in D are zero. Themasked computation of FIG. 7A can be contrasted to the example of FIG.1L, where a multiplication output is discarded, and a next operation(after the dummy multiply) uses the output of the previous operation(prior to the dummy). As shown in FIG. 7A, the dummy multiplications arereplaced with multiplications by a mask. By replacing the dummymultiplications with masking operations, the dummy multiplications areno longer discarded. This can further foil cross correlation attacksthat rely on determining the cross correlation between discarded andnon-discarded results during computation.

FIG. 7B illustrates an exemplary embodiment in which all entries in acache are masked. In this example, the same mask value (X, i.e. X¹) isapplied to each entry in the cache. As a result, each multiplication byan entry in the cache contributes the same power of X into theaccumulator and the power Alpha is therefore independent of D. (Alphamay depend on the length of D—or more precisely, on the number ofiterations used for the exponentiation loop—but does not depend on thesequence of particular bits in D.)

FIG. 7B shows a mask X, base C, a table with four entries (correspondingto a two-bit window), and an exemplary exponent 10110001. As shown inthe table of FIG. 7B, for the unmasked multiplications, multiplicationby entry 0 (corresponding to the block of exponent bits 00) correspondsto multiplying by 1 (C°=1); multiplication by entry 1 (block of exponentbits 01) corresponds to multiplying by C¹ (i.e. C); multiplication byentry 2 (block of bits 10) corresponds to multiplying by C²; andmultiplication by entry 3 (bits 11) corresponds to multiplying by C³.

After masking with X, the entry 0 may be as different from entry 1, 2,or 3 as entries 1, 2, and 3 are from each other. However if an attackersubmits the ciphertext C=0, and if C⁰ is treated as identically equal to1, this may create a situation in which some embodiments hold X in entry0, but 0 in entries 1, 2, and 3 when C is zero. Performing anexponentiation using such a table may reveal information about theexponent. But in fact, in math the value 0 raised to the 0 is an“indeterminate form” (i.e. is not equal to 1). Some embodiments handlethis special case by returning 0 when C=0, without bothering to crankthrough the exponentiation. Some other embodiments load 0 into all tableentries when C=0. Still others may throw an exception. (Some embodimentsdo not include special circuitry for detecting whether the value Cequals zero, or for handling it differently.) (This paragraph is notmeant to be an exhaustive list of the components or methods thatembodiments may or may not include for detecting and handling thespecial case of C=0.)

In the example of FIG. 7B, the table entries are masked by multiplyingwith the value X, to produce 1*X, C*X, C²*X, and C³*X. (Multiplicationhere and throughout the application refers to multiplication in agroup—often the group modulo a composite N or prime P or Q. As a result,the size of the representation of each entry in this table may be thesame as the size of C, represented in this group.) As a result, whenthis table is used for a k-ary square-and-multiply-always exponentiation(where multiplications by entry 00 are used, rather than with discards),each multiplication by a power of C using an entry in the table (Craised to its corresponding power) also multiplies the accumulator by X.

After this masking step, the value of the table entry corresponding tothe block of k bits ‘00’

In FIG. 7B, following the k-ary square and multiply always algorithmwith exponent 10110001 and using the first table of “unmasked values”will produce C¹⁰¹¹⁰⁰⁰¹ at the end of the sequence. Using the “maskedvalues” table will produce a different result. The value in theaccumulator is initialized with the (10) entry, equivalent to C raisedto the power of two (10) multiplied by the mask X is raised to the powerone (01), or (C¹⁰*X⁰¹)—with the exponents represented in binary, forconvenience. After the accumulator is squared twice, it holds the value(C¹⁰⁰⁰*X⁰¹⁰⁰). The next two bits of the exponent are three (11), somultiplying by the masked entry for 11 (C³*X) yields the value(C¹⁰¹¹*X⁰¹⁰¹). After two more squares, the accumulator holds(C¹⁰¹¹⁰⁰*X⁰¹⁰¹⁰⁰). The next two bits of the exponent are zero (00), somultiplying by the masked entry for 00 (1*X) yields the value(C¹⁰¹¹⁰⁰*X⁰¹⁰¹⁰¹). After two more squares, the accumulator holds(C¹⁰¹¹⁰⁰⁰⁰*X⁰¹⁰¹⁰¹⁰⁰). The next two bits of the exponent are one (01),so multiplying by the masked entry for 01 (C*X) yields the value(C¹⁰¹¹⁰⁰⁰¹*X⁰¹⁰¹⁰¹⁰¹). After each multiplication the accumulator holdsthe product of C raised to some prefix of D, by X raised to someexponent 010101 . . . 01 where the number of ‘01’s equals the number oftimes the loop has iterated—but is otherwise independent of D.

Thus, by masking the four entries in the table with the same value of X,each multiplication by a table entry results in the exact same power ofX contributing to Alpha. As a result, the value of Alpha is independentof D. Furthermore, the exponent D is masked by Alpha, because thesequence of squares and multiplies now depends on both D and on Alpha.The longer a loop is computed using this structure, the longer thesequence becomes. However, the power that X is raised to is a functionof the length of the loop only; not, a function of the particularexponent value that is being used. (Values of Alpha other than ‘01010101. . . 01’ may arise from other loop structures—as will be seen below.However, these remain independent of D.) Because the sequence of squaresand multiplies in the exponentiation loop depends on both D and Alpha,this masks the exponent against SPA; and because the parameter X ismasking (blinding) the entries in the table, the exponent and message(ciphertext) are simultaneously blinded.

One advantage of the exemplary embodiment in FIG. 7B is that optimizedsquares can be used. As noted previously, in some algorithms, revealingwhich operations are squares leaks information about the key. However,if optimized squares are used with a square-and-multiply-alwaysapproach, then the pattern of squares does not reveal the key. It isnoted that optimized squares may be roughly 30% faster than multiplies,which may partly offset the fact that (for a given cache size) asquare-and-multiply-always algorithm uses more multiplies than manyother algorithms.

One disadvantage of the exemplary embodiment in FIG. 7B may be therequirement of a high memory overhead. The number of entries required inthe table grows exponentially with k (the number of bits that are beingprocessed at one time). For a given k, the size of the table for thesquare-and-multiply-always algorithm is one entry larger than thestandard k-ary algorithm, and k/2+1 entries larger than the slidingwindow algorithm. The memory cost may be doubled again if combined withAMM squares, although some embodiments of FIG. 7B also embody FIG. 6Aand FIG. 6B without further increasing the size of the cache.

FIG. 7C shows another embodiment, in which blinding by a parameter B isalso performed on the input C to produce C′, and the exponentiation isperformed on the input C′—that is, the input C is replaced with C′; C²with (C′)²; and C³ with (C′)³. As with FIG. 7B, all entries in the tableare masked. As a result, the value of 1 and all other powers of C storedin the table are multiplied by the mask X, which produces 1*X, (C)*X,(C′²)*X, and (C′³)*X.

As shown in FIG. 7C, C′=C*B which is equivalent to(C′)¹⁰¹¹⁰⁰⁰¹=(C¹⁰¹¹⁰⁰⁰¹)*(B¹⁰¹¹⁰⁰⁰¹). Since the exponent for the base Bis the same as the exponent for base C, one can convert its invertingfactor using the public key. The power of B is the exponent D. Becausethe unblinding factor corresponding to B depends on D, while theunblinding factor corresponding to X does not (but depends instead onAlpha), these unblinding factors are computed separately. However theirproduct may also be computed and stored, allowing the exponentiationresult to be unblinded efficiently using a single multiplication. Insome embodiments, these unblinding factors are maintained separately andthe device is configured such that one component (such as acryptographic library) creates and stores B or X and its unblindingfactor, while another component (such as an application) creates andstores the other value and its unblinding factor.

Applying Mid-Loop Updates

Applying mid-loop updates during exponentiation can be used to defeathigher order DPA attacks. As stated previously, there are many types ofhigher order DPA attack, including two that will be discussed inreference to this design. The first type of attack solves a clusteringproblem by solving for the clusters of different entries within a singletrace, and can succeed even when inputs to the trace are appropriatelymasked. The second type of attack is a horizontal cross-correlationattack that integrates leakage across multiple traces.

Mid-loop updates can interfere with the aforementioned attacks byupdating the mask parameters during the computation, effectivelyincreasing the number of clusters that must be detected, and reducingthe number of examples of each type being classified. FIG. 8Aillustrates some embodiments of mid-loop updates.

FIG. 8A shows a mask X, base C, a table with four block entries, and asequence SSMSSMSSM . . . , similar to that shown in FIG. 7B. The values1, C¹, C², and C³ corresponding to block entries (00), (01), (10), and(11), respectively, are first masked by X, and this produces X, C*X,C²*X, and C³*X, respectively, in a first table. The first table is thetable used for the multiplications prior to a mid-loop update.

Next, a mid-loop update is applied during computation by multiplying thevalues (X, C¹*X, C²*X, and C³*X) corresponding to block entries (00),(01), (10), and (11), respectively, by some value to produce a tablemasked with a new masking parameter Y. This produces a second tablecontaining Y, C*Y, C²*Y, and C³*Y, respectively, after the mid-loopupdate.

Thus, a first table is used for the first half of the exponent beforethe mid-loop update, and a second table is used for the second half ofthe exponent after the mid-loop update. In some embodiments, the updateis performed without using or uncovering the unmasked powers of C. Thefinal output of the calculation is given by C^(D)*X^(Alpha)*Y^(Beta). Inthis configuration, each entry in the first two-bit table contains apower of C multiplied by one value X. As the exponentiation loopiterates, the accumulator holds a power of C multiplied by X raised tothe exponent Alpha, where Alpha=01010101 . . . 01. If there are m numbermultiplies, then Alpha will consist of m number of (01) values followedby a string of zeros. After the mid-loop update, the computation isswitched to Y instead of X, and the Y value is raised to the exponentBeta, where β=01010101 . . . 01.

As shown in FIG. 8A, prior to the mid-loop update, there will be a (01)value for each multiplication in X. After the update, all the valuesthat are in the accumulator at the point in which X is switched to Ywill remain in the accumulator. Each subsequent squaring operation willeffectively shift the exponent of the values in the accumulator by onebit to the left. The power which X is raised to (i.e. Alpha) is 01010101. . . 01 followed by a string of zeroes, where the number of zeroes inthe string of zeros equals the number of times the accumulator issquared following the update.

Thus, prior to the update, the number of bits in the sequence Alpha isequal to the product of the number of multiplications before the updateand the number of bits per multiplication. As shown in FIG. 8A, theoriginal two-bit table comprises four multiplication values (0, 1, 2,3). After the update (switch from X to Y), the pattern 01 will repeatfour times (i.e. 01010101), which is eight bits long. Basically, thenumber of bits after the update will be twice the number ofmultiplications, because each multiplication corresponds to a two bitportion of the exponent.

The exemplary mid-loop update of FIG. 8A can provide resistance tohigher order DPA attacks. For example, an attacker performing aclustering attack may observe a large number of multiplies (100˜1000multiplies), instead of only four multiplies (as in the original two-bittable). Since there are numerous instances of each entry in the cluster,the attacker will then have to determine which of the multiplicationsare 0's, 1's, 2's, or 3's.

After the mid-loop update, since the actual entries in the originaltable have changed, the SPA and statistical leakage signatures formultiplication using those entries will also change. For example, priorto the update, the entry 0 holds X. After the update, the entry 0 holdsY. (We may call the updated entry 0′ to indicate the entry 0 after theupdate; but many embodiments use the same memory location to hold 0′ asheld 0). In some embodiments, the values X, Y, and Y/X are unpredictableto an attacker, and therefore with high probability the relationshipbetween entry 0 and entry 0′ is different from the relationship betweenentries 0 and 1, between 0 and 2, between 0 and 3, between 0′ and 1′,between 0′ and 2′, and between 0′ and 3′,

In some embodiments, the masking parameters X and Y can be randomlychosen during an initialization stage, but then may be stored in amemory and subsequent values for X and Y (and unmasking parameter) maybe efficiently generated from previous values. In other embodiments, Xand Y can be totally independent and may be generated (together with anunmasking parameter) during an exponentiation initialization step. Inany case, an unmasking parameter corresponding to any X and Y pair canbe found so long as both X and Y are invertible members of the group(for example, are nonzero). Calculating the unmasking value requiresonly knowledge of the modulus (e.g. N or P) and of the exponents Alphaand Beta (which depend on the loop length and on where the updateoccurs) but does not require knowledge of a secret exponent D. Thus maskparameters for an embodiment of this invention implementing RSA can becalculated using only the public parameters in the RSA key. Someembodiments are configured to accept a mask value (X) or set of maskvalues (X, Y, or X, R etc), and a corresponding unmasking valuegenerated externally (e.g. by a personalization server). Someembodiments further perform a test to confirm that the unmaskingparameter corresponds to the masks. Some embodiments containcountermeasures to glitch (fault induction) attacks, which have aneffect of also confirming the correspondence between masks and unmaskingparameter(s). Some embodiments calculate an inverse blinding factorcorresponding to all masks simply by performing the maskedexponentiation using a set of masks on an input C=1, using nounmasking—or using a temporary unmasking parameter of 1—and then takingwhatever output results, and inverting it in the group (i.e. mod N or P)to obtain the correct unmasking parameter.

In some further embodiments, Y can be computed as a function of X, andthis can be embodied with an efficient update process. (Because Y can becomputed from X, such embodiments may also be more memory efficient.) Inone embodiment, Y is the square of X. This has the additional advantagethat values can be updated in place, without requiring extra memory. Forexample, updating table entry 3 from (C³X) to (C³X²) requiresmultiplying by X. X is stored in table entry 0. So the update can beefficiently computed by calculating the product of 0 and 3 and storingthe result in entry 3. Similarly, entry 2 is updated from the product ofentries 0 and 2, and entry 1 is updated with the product of entries 0and 1. Finally, entry 0 is updated with the square of 0.

When Y is a function of X, X^(Alpha)*Y^(Beta) can be rewritten asX^(Alpha′) for some exponent Alpha′. In the 2-bit example, with Y=X²,Alpha′ equals 01010101 . . . 0110101010 . . . 10, where the length ofthe ‘01’ segment equals the number of squares prior to the update, andthe length of the ‘10’ segment is equal to the number of squares afterthe update. If more updates are performed by squaring, after the secondthe entries are masked by X⁴, and after the third the entries are maskedby X⁸, etc. Each ‘square’ operation shifts the bits of Alpha′ left by 2,and each multiplication by a table entry adds the corresponding power ofX into Alpha′. So right after the update from mask=X² to mask=X⁴, thelow order bits of Alpha′ are . . . 1010. After two squares, Alpha′ endswith . . . 101000. After the next multiplication (which includes aparameter masked by X⁴ which—expressing the exponent in binary—isX¹⁰⁰)the value of Alpha′= . . . 101000+100= . . . 101100. Forconvenience, when Y is a power of X, this exponent may be referred to as“Alpha” without the “prime”.

In some embodiments, the mid-loop update can be performed more easilywith an additional memory cell. As noted previously and as shown in theequation in FIG. 8A, to move from table mask X to table mask Y duringthe update (or from the table before the update to the table after theupdate), the table entries may be updated by multiplication. If aspecific new value of Y is desired, that is independent of X, the updatemay be performed by computing the inverse of X (in the group) and thenR=Y*X⁻¹ (in the group), and updating all table entries by multiplyingwith R. In practice, the table masked by X can simply be multiplied by arandom R which can be any value—that is, some embodiments generate an Rat random such that R is guaranteed (or has high probability) to beinvertible in the group. In this case, Y=R*X. The inverse blindingfactor may be calculated from X and Y, as before.

To obtain the correct output from a modular exponentiation, the value atthe end of the exponentiation loop needs to be multiplied by anunblinding factor. As noted above, the blinding factor is a function ofX and Y. Calculating a blinding factor for new X and Y values generallyinvolves computing an inverse, and this may require more computationthan is desirable. So an efficient approach involves storing theblinding factors X and Y and a corresponding unblinding factor—thenusing these to efficiently compute new blinding factors in subsequentcomputations. This will be discussed in more detail below.

As stated previously, one embodiment of the mid-loop update comprises Ybeing the square of X. In this embodiment, the algorithm searches fromthe left table to the right table and finds a new value derived from themultiplication of one table entry by another table entry. If the updatedzero entry is computed last, the updates can then be performed in place.An exemplary algorithm is provided as follows. First, the third entry ismultiplied by the zero entry, and the resulting value overrides theprevious third entry in the table. Next, the second entry is multipliedby the zero entry, and the resulting value overrides the previous secondentry in the table. Following that, the first entry is multiplied by thezero entry, and the resulting value overrides the previous first entryin the table. Lastly, the zero entry is squared and the resulting valueoverrides the previous entry zero in the table. Performing thesquare-and-multiply-always exponentiation loop with masked table leadsto the sequence—SSM SSM SSM SSM . . . At the update step, an updatesequence comprising a block of multiplies (MMMS) is inserted in betweentwo SSM sequences, as shown in FIG. 8A. (If multiple cores areavailable, the operations may be performed in parallel, so long as thezero entry is read for all multiplications before it is overwritten bythe square.)

The block of multiplies (MMMS) is the SPA signature of the mid-loopupdate algorithm. Basically, the update of the table mid-computationallows the multiplies before the update to group into a different set ofclusters than the multiplications after the update, thereby providingresistance to higher order DPA attacks (e.g. clustering attacks). Fork-arry exponentiation (i.e. with 2^(k) table entries), each updateincreases the total number of “clusters” in the exponentiation by 2k.For example, in a 5-bit implementation, the table holds 32 entries. Anattacker would need to correctly classify multiplications into 32clusters in a normal k-arry exponentiation implementation. With oneupdate in the middle of the modexp loop, the attacker would need toclassify each operation into one of 32 clusters, (with half as manymembers in each cluster) and would also need to determine the mappingsbetween each of 64 clusters and a 5-bit sequence of bits. Update stepsmay be performed many times during an exponentiation. With two updatesperformed in the calculation, in a 5-bit implementation, each operationwould need to be classified into one of 32 clusters (with one third asmany members in each cluster), and then the attacker would need todetermine the mapping between each of 96 clusters and the 5-bitsequences of bits. The method of updating the masks mid-loop iscomplimentary to (and can be employed with) embodiments of 6A and 6Bwhich may (all together) also multiply the number of clusters by 8. In5-bit implementation with one update step in the middle, using the L-Rswapping and negation using the “++” and “− −” quadrants, eachmultiplication would need to be classified into one of 128 clusters, anddecoding the exponent would involve identifying the mapping between 256clusters and sequences of 5-bits. Although in general optimized squarescan be used throughout this algorithm, some embodiments turn somesequences of k squares into k AMM squares—which has the same SPAsignature as an update step. (If using the ‘squaring X’ approach forupdates, an AMM square may be used to update the mask for table entry‘0’.) Employing AMM squares in this way may introduce additionalconfusion into the cluster classification problem.

As noted previously, an SPA trace can reveal to an attacker whichclusters belong in which region. When solving the clustering problem, anattacker who can identify the location of updates can treat clustersprior to the update as disjoint from clusters after the update. If theattacker can determine the correspondence between clusters before theupdate and the clusters afterwards (i.e. can connect the 0 cluster(“zero”) to the 0′ cluster (“zero prime”)) they can perform a high-orderattack as though there had been no update. If the relationship between Xand Y is effectively random (from the perspective of an attacker whoobserves only side channel leakage of X and Y), then connectingcorresponding clusters may require the attacker to focus on themultiplies that take place during the update step, itself—i.e.multiplies in which X is an input and Y is an output. It is onehypothesis of this design that input/output correlations are harder toexploit than other kinds. If the signal-to-noise ratio is low enough, itmay not be solvable by analyzing a single trace—and the attacker maytherefore have to integrate leakage across many successive traces inorder to succeed in detecting a correlation. To prevent theaforementioned attack, some embodiments update the exponent D betweensuccessive traces, which changes the cluster each multiplication belongsto.

In some embodiments, the mid-loop update can include exponent blindingwhere a base C is raised to the exponent D and another parameter whichis added in modulo P or N. Here, there is a parameter ϕ(P) or ϕ(N),which is the order of the group modulo that modulus, and which allows anequivalent exponent to be produced. An exemplary equation is given byC^(D+k·ϕ(P)) mod P=C^(D) mod P.

In exponent blinding, the order of prime of P is given by P−1. Thus, anymultiple of P−1 added to the initial exponent D produces the exact sameresult when the calculation is performed modulo P. The randomizationchanges the actual bit sequence that is being used in theexponentiation. Although the exponents are all equivalent, they are notidentical. For example, a certain sequence of bits may appear in thebinary representation of one exponent, and a different sequence of bitsmay appear at the corresponding location in the binary representation ofa different exponent. In some cases, an attacker who is able topartially solve a clustering problem (or exploit any other leak) torecover a subset of the bits corresponding to one exponent D+k₁*ϕ(P),may not be able to solve or integrate this information with leakage fromother exponents D+k_(j)*ϕ(P) to determine the value of the exponent D.

If exponentiations with D implemented using ‘masked’ exponents, the bitsin the exponent are constantly changing, and a given k-bit sequence fromdifferent exponents will likely correspond to different entries in thetable. (The n'th multiplication in a second trace will likely belong toa different cluster than the n'th multiplication in a first trace.)However, if the leakage rate is so great that SPA characteristics aloneare sufficient to reveal what the parameters to the multiplies are, thenan attacker may be able to decipher the exponent. For example, if theexponent is not randomized and an attacker is able to collect, e.g.˜1000 power traces, the attacker can average all those power traces andperform an SPA-like clustering attack.

Alternatively, the attacker need not average the traces to succeed inthe attack. If an attacker can use statistical methods to determine thatall ˜1000 operations occurring at a location belong to the same cluster,the attacker will have sufficient information to perform a clusteringattack. However, if the exponent is randomized, the attacker may have toperform a successful clustering attack from a single trace.

Thus, some embodiments of the mid-loop update algorithm include the useof exponent randomization.

In some embodiments, the update step uses a parameter R that is derivedindependently of X. If the update step uses multiplication by aparameter R (in place of multiplication by table entry 0), then this maygreatly increase the difficulty of connecting clusters by attacking theinput/output leakages. And again, when the exponent is randomized, theattacker may have to complete the clustering attack using a singletrace. Unless the leakages are extremely high, it is expected thatinput/output correlations will be low and it would not therefore befeasible in practice to complete a clustering attack from a singletrace.

As noted previously, one method of performing a mid-loop update is bysquaring. In addition to squaring, there are other methods of performingmid-loop update. FIG. 8A also shows another embodiment of a mid-loopupdate using a second parameter R. As shown in FIG. 8A, the originaltable entries (0, 1, 2, 3) are multiplied by R to yield (0*R, 1*R, 2*R,3*R). Thus, the entries become masked by Y, where Y=R*X, to produce (Y,C*Y, C²*Y, C³*Y). Thus, Y is a function of R and X.

When the exponent is updated mid-loop through multiplying by R, theupdate exponent will be in the form of the sequence MMMM, instead of thesequence MMMS. As shown in FIG. 8A, the sequence MMMS corresponds to anupdate by X, whereas the sequence MMMM corresponds to an update by R.(And embodiments may use an AMM square in an update by X to produce asequence that is indistinguishable in SPA from MMMM.)

In some embodiments, the update comprises a plurality of updatesthroughout the computation. In some embodiments, the update can beperformed regularly, in contrast to other embodiments in which only oneupdate is performed mid-computation.

In some further embodiments, the optimal number of updates can bedetermined by analyzing the clustering problem. In these embodiments, astrong countermeasure can be obtained if the computation ends at a pointwhere the attacker can only observe one multiply for each cluster. Inpractice however, it may be likely that an attacker may observe twoentries in some clusters, one entry in some clusters, or even no entriesin some clusters. (For example, in a 4-bit implementation with 16entries in the table, randomized L-R swapping, and using “+−”/“a−+”quadrants, if updates are performed every 64 multiplications—or every256 squares—then on average a multiplication with LHS=A (theaccumulator) and RHS=(−(C¹¹⁰⁰¹*X)) will only be observed once. However,for certain random exponents and a certain sequence of L-R and +/−decisions, a multiplication with these LHS and RHS may occur two or moretimes in the region, while for others it may not occur at all.) Thelikelihood of seeing any particular number of instances (if alldecisions and exponent bits are random and i.i.d.) is approximated bythe Poisson distribution with Nmult=the number of multiplicationsbetween updates, and lambda=(the number of clusters)/Nmult.Nevertheless, the chance of getting a few examples in one cluster maynot significantly diminish the difficulty of the clustering problem,because the attacker still needs to correctly classify all operationsthat are present.

In some embodiments, the number of exponentiation loop iterations (andmultiplications performed) before performing an update is such that onaverage two examples in each cluster are expected. In some embodimentswith table size 2^(k) and cluster multiplier T (for example equal to1/2/4/or 8, depending on the combination of L-R swapping and negationquadrants used), an update is performed after about (2*T*2^(k)) loopiterations. For other embodiments, the update is performed when thenumber is expected to be three or four examples per cluster (e.g.3*T*2^(k) or 4*T*2^(k)) or even more. It is believed that for manyleakage functions, the classification problem is challenging for anattacker to solve (with low enough error rate for the attack to succeed)so long the number of examples per cluster is small. Some embodiments inwhich the exponent is being randomized implement more than (4*T*2^(k))multiplications between updates.

In some embodiments there are fewer loop iterations before an update isperformed. For example, an update can be performed once every iteration.An update equates to one multiply for each element in a table, and in atable with four entries, this will yield four multiplies. The tradeoffmay be worthwhile in some embodiments such as one in which the exponentis not being randomized. However, if half of the total number ofmultiplies are used for the exponentiation (i.e. are changing the valuein the accumulator) and the other half are used for updates (i.e. arechanging value(s) in a cache), this may result in extremely highresistance to HODPA attacks at the cost of slow performance. Theperformance hit may be minimal in embodiments that perform themultiplications of the update step in parallel—and performing them inparallel may further increase resistance to side channel leakage.

Unmasking and Efficiently Finding New Masks

When updates are performed by squaring, all intermediate masks can beexpressed in terms of the initial JMEB mask X. (JMEB, short for ‘jointmessage and exponent blinding’, is a name for embodiments of FIG. 7A,FIG. 7B, FIG. 7C, FIG. 8A, FIG. 8B, FIG. 8C, or FIG. 8D.) The inverse ofX is a function of modulus N, of the length of exponent D (the number ofiterations of the loop), and of which iterations are followed byupdates. Because the length of exponents D can vary when exponentrandomization is being used, some embodiments compute more multipleunmasking parameters for X, corresponding to different lengths. In someembodiments an unmasking parameter is generated that corresponds to thelongest expected exponent, and the exponentiation loop is run for thecorresponding number of iterations.

If X and R are independent, with Y=X*R, then separate unmaskingparameters can be computed corresponding to specific lengths for X andY. If the exponent D is longer than Beta and shorter than Alpha, then Dmay be expanded to the length of Alpha by prepending 0 bits, andcomputation can proceed starting with the accumulator initialized to 1,the cache initially masked with X and mixing in R at the pointcorresponding to the length of Beta. If the exponent D is shorter thanBeta, however, then D may be expanded to the length of Beta byprepending 0 bits, and the computation can proceed starting with aninitial mask of (Y=X*R), the accumulator initialized with Z=X^(Alpha″),and not performing an update step. Here Alpha″ equals Alpha with all thelow-order zeros truncated—i.e. Z is exactly the value the accumulatorwould have held had it been initialized with 1 and then squared andmultiplied by X for a number of iterations equal to the length of Alphaminus the length of Beta. In this way variable-length exponents D can beaccommodated efficiently, by storing an extra parameter Z together withthe regular parameters X, R, and the unmasking parameter UX.

Therefore, upon running the modular exponentiation loop, if there is atleast a first mask, and a pre-calculated inverse masking primary that isa function of the length of the exponent, then the exponent has to beprocessed at a constant length (e.g. 10-bits long, or the length of thelongest exponent), corresponding to the exponent Alpha that was usedwhen deriving the unmasking parameter. If a longer exponent issubmitted, some embodiments accept it but leave its first few bitsunmasked. (In non-CRT RSA, the high-order bits of the exponent do notnecessarily need to be kept secret; however if exponent randomization isbeing used, revealing the high-order bits could undesirably reveal partor all of the bits of the mask.) Alternatively, the embodiment mayreject the exponent if it does not allow computations of an exponentgreater than a nominal length.

In general, as discussed above, the unblinding factor (for a given setof parameters) can be computed using one exponentiation and computingone inverse. However, if a sequence of exponentiations needs uniqueblinding factors, much more efficient methods exist for obtaining a set,if the parameters are known in advance and precomputed values can bestored. The main approach takes advantage of the fact that if {X, R1,R2, R3, . . . } are a set of masks and UX is a corresponding unmaskingparameter, then other sets of masks and unmasking parameters can becomputed efficiently from it. For example, UXA is also an unmaskingparameter for the set of masks {X^(A), R1^(A), R2^(A), R3^(A),} i.e.where each parameter is raised to the A′th power. In many designs of thebackground art, blinding factors B and U are maintained such thatB=1/U^(E), and B^(D)*U=(1/U^(E))^(D)*U=(1/U^(ED))*U=(1/U)*U=1 mod N.Those blinding factors are often updated by squaring. Clearly thisworks, because if (B^(D))*U=1 mod N then((B²)^(D))*(U²)=((B^(D))²)*(U²)=((B^(D))*(B^(D))*(U*U))=((B^(D))*U)²=1²=1mod N.

This may be efficient, but as was demonstrated with the doubling attack,if the attacker knows that the input to an operation in one trace may bethe square of the input to that operation in the previous trace, thiscreates a relationship that can be tested—and potentially avulnerability that can be exploited. In the higher security models, anypredictable relationship between the i′th operation in the h′th traceand the j′th operation in the g′th trace creates a potentialvulnerability. In a slightly broader security models, a goal is to avoidthe relationship where an intermediate in one exponentiation ispredictably the square of an intermediate in a previous computation.

This is especially a concern when the mid-exp updates compute Y from Xby squaring, because the sequence of masks that occur after updateswithin one exponentiation (X, X², X⁴, X⁸, etc.) is exactly the sequenceof values of X that would be observed between traces if X were updatedbetween exponentiations by squaring. Thus, if the values are updated bysquaring, based on a previous map (e.g. (1 3 3 0) corresponding to (0′,2′, 1′, 2′)), and an attacker can determine that a multiply at onelocation is by X and the multiply at another location is by X², theattacker can subsequently perform a doubling attack to attempt toidentify that relationship.

One very efficient alternative to finding subsequent (X, UX) masks bysquaring is to find the next mask by cubing: (X_next=X³, andUX_next=UX³). Although this could be attacked by a ‘tripling’ attack, itgreatly reduces the scope of the attack because #1 all of the mid-loopupdates are performed by squaring, so no longer match the out-of-loopupdates, and because #2 exponentiation loops are full of squaringoperations, but it is extremely rare that the input to one operation isthe cube of the input to a previous operation. Furthermore, although inprinciple both a JMEB blinding factor and a regular blinding factorcould be updated by cubing, some embodiments cube the JMEB blindingfactors but update the other blinding factors by squaring—effectivelyyielding intermediates in a subsequent exponentiation that are neitherthe square nor the cube of intermediates in a previous exponentiation.Note that cubing is nearly as efficient as squaring, and can beaccomplished with one square and one multiply.

Some embodiments devote more memory to the problem, storing JMEB masksXA and XB and corresponding unmasking parameters UA and UB, such that UAis the unmasking parameter for XA for a given set of parameters (N,exponent length, update frequency) and UB is the unmasking parameter forXB over the same parameters. The pair (XA,UA) is used to mask anexponentiation, then the pairs are updated as follows. First (XA,UA) isupdated by computing XA′=XA*XB mod N, and UA′=UA*UB mod N. Next, (XB,UB)is updated by computing XB′=XA′ *XB mod N, and UB′=UA′ *UB mod N. It canbe shown that if XA₁ (the first value of XA) can be expressed in termsof some F¹*G⁰ where XB¹=F¹G¹, then in the first iteration and at eachstep the value in XA and XB can be expressed as a product of F and Geach raised to some power, where the powers are Fibonacci numbers andthe power of F in one of the terms is always one Fibonacci number higherthan the power of G. This update method is very efficient, requiringonly four multiplications total to update XA, XB, UA, UB. Otherembodiments use other methods of updating and combining two blindingfactors to produce a sequence of blinding factor that is hard to attackwith a doubling-attack type of approach. Another example is one in whichXA,UA is updated by cubing, while XB,UB is updated by squaring, and theblinding factor for the n'th trace is the product of XA and XB. Otherpowers, combinations of powers, or combinations of the Fibonacciapproach and separate power-based approaches may be used; an embodimentmay even use one method between one pair of traces, and a differentmethod between the next pair.

Although some embodiments do not update the mask X between every pair oftraces, in general it is a good idea to regularly update the mask (ormask pairs).

FIG. 8B shows an SSMSSMSSM . . . exponentiation using table with entries(0, 1, 2, 3) masked by X, which yields 1*X, C*X, C²*X, and C³*X. Asstated previously, the mask X can be updated by squaring at each updatestep within a trace, and the mask X can also be updated by squaring fromone trace to the next (i.e. X and the corresponding unmasking parameterare also updated by squaring between traces).

In FIG. 8B, an update by squaring is performed on an exemplary exponentas shown: 11 01 00 10 10 11 00 00 [update by squaring] 10 00 00 11. FIG.8B also shows which multiply is performed corresponding to the tableentry that the operand is being extracted from. For example, FIG. 8Bshows the multiply is by 3, 1, 0, 2, 2, 3, 0, 0, 2, 0, 0, 3. For a firsttrace, an attacker submits C=1. Prior to the first update, all themultiplies are multiplies by X. Because the first update is by squaring,all the multiplies in the next part of the exponent are multiplies byX². If there is more than one update, the multiplies between the secondupdate and third update are by X⁴, the multiplies between the thirdupdate and fourth update are by X⁸, and so forth.

With reference to FIG. 8B, a random ciphertext is submitted for a secondtrace (trace 2). It is assumed that the value of the mask X was updatedby squaring between traces. Table entries for the second ciphertext areshown. The first table entry for the second trace corresponding to the(00) entry is X², as is shown in the table. Because the secondciphertext is random, the other table entries (non-zero entries) for thesecond trace are effectively random (unrelated to the values in thetable for trace 1) and are denoted as ‘-’ in the table.

In the section below the SSMSSM . . . sequence in FIG. 8B, the value oftable entry 0 has been shown beneath each M that uses it (exponent bits00). As shown, these multiplications are by X² prior to the update, andby X⁴ after the first update; all other values (exponent bits other than00) are denoted by indicating that they are not expected to correspondto any operation in the prior trace. Thus, the update by squaringproceeds from left to right along the exponent, and from one trace tothe next trace.

However, the update by squaring from left to right along the exponentand from one trace to the next may expose vulnerabilities in the systemto cross-correlation attacks. For example, an attacker can use one traceto define a template for the multiplies by 2's, multiply the values byX², and submit a random separate text in the first region where there isa string of multiplies involving X². This gives a strong baseline thatis useful in solving a more generic clustering problem, as this containsa long string of known values, and relationships between other values ofexponent bits can be tested by judicious choice of first and secondciphertext. This situation also sets up testable relationship between X²and X⁴ clusters in sequential traces, and again an attacker can easilybegin with a long baseline of the X⁴ values in the top trace. Inconclusion, it may be undesirable for the masks to be updated betweentraces using the same relationship that is used to update the masks whenmoving from left to right within a single trace.

In some embodiments, the mid-loop update comprises an update by squaringfrom left to right along a trace, and an update by “cubing” (raising theexponent to the third power) from one trace to the next. By using acombination of squaring and cube functions, the same relationship acrossand between different traces can be avoided.

As shown in FIG. 8B, if the update is by cubing, the values will bemultiplied by X³ prior to the first update and X⁶ after the firstupdate. This can counter clustering attacks and reduce cross-correlationproblems because the square value (2) and the cube value (3) arerelatively prime to each other.

The above method of updating using a combination of squaring within atrace and cubing between traces is further described as follows:

Between traces:

X _(i) =X ₀ ³ ^(i)   (1)

As shown in Equation (1), the i^(th) value is repeatedly raised to the3^(rd) power (cubed). In other words, the exponent value is multipliedby 3 each time. The computation updates by 3 proceeding from one traceto the next trace, and at the i′th trace has been updated by 3′ relativeto the initial trace.

Within a trace:

X _(j,0) =X ₀ ² ^(j)   (2)

Equation (2) shows a j^(th) operation in a first (0) trace, where theupdate is by 2^(j) after the j^(th) update, and moving from left toright within the first trace (0) trace.

Between and within traces:

X _(j,i)=(X _(i))² ^(j) =(X ₀ ³ ^(i) )² ^(j) =X ₀ ³ ^(i) ² ^(i)   (3)

Equation (3) shows the substitution of equation (1) into equation (2),and the j^(th) operation in the i^(th) trace. Here, for the i^(th)trace, the i^(th) input is substituted by X_(i). The exponentiation isgiven by X₀ ³ ^(i) ² ^(i) . Since 3^(i) and 2^(j) are relatively prime,there should not be any collisions between the squaring and cubingvalues.

X ³ ^(i) ² ^(j) mod P=X ⁽³ ^(i) ² ^(j) ^(mod ϕ(P)))mod P  (4)

Equation (4) shows equation (3) with a parameter ϕ(P). As notedpreviously, ϕ(P) is a simple function of P, and allows an equivalentexponent to be produced.

However, updating by cubing does not eliminate the possibility of thecross-correlation attacks entirely. The lower part of the chart in FIG.8B shows only the value of the non-accumulator parameter in eachmultiplication. It is possible, however, that the value of theaccumulator may indeed hold X³ at some point, or some other power thatcan be expressed as X raised to 3^(a) times 2^(b) for some nonzero a andb. If such a value exists, it may be detectable by cross-correlationattack—and a large baseline of X raised to 3^(i)*2^(j) for many various(i,j) can be obtained by submitting many sequential C=1. If the ‘L-R’swapping is not employed, then an attacker may be forced to mount anattack exploiting an LHS-RHS correlation in order to detect this leak.This may be challenging. If the exponent D is randomized betweensuccessive traces, this may be sufficient to render thecross-correlation attack impractical.

As described above, methods that use two cached masks (XA,XB) can employan update step (such as the Fibonacci method) that renders intermediatespractically unpredictable between traces, and prevents thesesequential-trace cross correlation attacks.

With reference to FIG. 8A, the device may perform updates by R.Sequential updates may use different values, but, with reference to FIG.8C, may also make use of the same value R, which saves memory. Aftereach update by R, the value Y can be expressed as X times some power ofR. Between traces, the value of X may be updated by squaring. The valueof R may be updated between traces—but may also not be updated. (Shouldan attacker eventually discover the value of R, they may compute andsubmit C=1/R^(i) mod N for various i, but the masking by X may hinder anattack.

If a combination of masks ever cycles (results in the same numbers beinggenerated periodically), this presents a weakness in the system. Forexample, if an LHS or RHS input to one operation is the same as an LHSor RHS input to a second, and there exists a further operation which isthe same as the other, and so forth, the periodicity in occurrences canallow an attacker to detect the reuse of an operand (e.g. by moving downtwo traces and then moving right by 4 operations), which may revealinformation about a secret exponent being processed.

Therefore, a designer's goal is to design a system in which the maskingis set up such that it is very unlikely that there will be twomultiplies using the same input, regardless of the power. In such asystem, there is a very low probability that two random numbers will bethe same, and even if two numbers are the same, the event will nothappen periodically.

By incorporating different exponential powers (3^(i) and 2^(j)) in theupdate, the resulting exponent will be larger compared to an exponentthat is updated equivalent modular by squaring. To determine therelationship between the parameters, an attacker has to analyze thevalues of 3^(i) and 2^(j) and determine if there is a periodicsystematic issue. For example, if there is a value of i and j thatcollides for a particular P, then the values are going to collide forthat P regardless of what the base is.

If an attacker can find a periodic relationship, it means that for aparticular value of C and P, there is a relationship that allows theattacker to determine the locations of i and j, and if the attacker hasinformation pertaining to that relationship, the attacker can use theinformation to learn about P or solve for the exponent. (And inexponentiations where P is a secret RSA prime, knowing P reveals theexponent.) It is relatively easy to exploit a design with many periodicrelationships using a HODPA attack, such as a doubling attack.

Thus, one of the motivations in the embodiments disclosed is to avoidhaving the aforementioned periodic relationships in the design of thecryptosystem. First, it has motivated changes in the update betweentraces, such as not using an update by squaring. In some embodiments,the update involves squaring the values proceeding from left to rightwithin a loop structure, and using an update other than squaring outsideof the loop structure (i.e. updating the factors between rounds using adifferent method other than squaring).

In some embodiments, instead of updating by squaring proceeding fromleft to right, the update can involve multiplying by any value. Forexample, given an initial parameter Y and a blinding factor X, insteadof updating by squaring, the value can be updated by R where R=Y/X. Forthis update, the following are required: X, R, and an inverse parameterthat is a function of X, R, and Y.

Detection of collisions between values will next be described withreference to FIG. 8C. First, a table corresponding to X, CX, C²X, C³X isgenerated. After the first update, the table transforms into XR, CXR,C²XR, C³XR. After the second update, the table transforms into XR²,CXR², C²XR², C³XR². The updates continue such that after the j^(th)update, the table becomes XR^(j), CXR^(j) C²XR^(j), C³XR^(j), and soforth. As a result, Y can be updated, moving left to right, byrepeatedly applying R, without requiring a unique value of R at eachupdate.

For the value X, if the same R is multiplied across the exponent eachtime, XR^(j) will be obtained for each j^(th) value with no relationshipbetween XR, XR², XR³, XR⁴, XR⁵ . . . Thus, X can be squared, and therewill be no distinct relationship between XR and X²R, or between X²R andXR².

However, for the values X and C²X, if X is updated by squaring, anattacker may be able to submit an input message to determine the squarerelationship between CXR and C²X²R².

Also, if X is cubed, or if any power of X is used such that the maximumnumber of updates is, e.g. ˜100 updates, an attacker may be able toobserve the values XR through XR¹⁰⁰ if the update is multiplied by Reach time. If the squaring of X outside of the loop is replaced byraising X, to some power I (X), and if I is a number less than 100, aslong as X is updated using an exponent less than 100, an attacker may beable to identify the values (K^(I) R^(I)) by submitting C and C^(I) atdifferent locations. For example, the values (X^(I) R^(I)) maypotentially occur in a computation if the sequence at the top of theexponent includes l. This relationship be exploited at different timesdepending on the exponent that is being used—i.e. for certain values ofD it leads to relationships that can be tested using chosen C values,where such relationships are not present for other values of theexponent D, and tests for presence or absence of such relationshipstherefore reveals information about D. An attacker can identify whenthese collisions occur and the attacker can submit a message that willcause collisions for some exponents, but not for other exponents. Whenthe collisions occur, the attacker can then gather information about thesystem.

It has been noted that updating any exponent by squaring from left toright can compromise a system because a doubling attack can target thesquaring correlation. Therefore, in some embodiments, it is preferablethat the parameters are not updated by squaring from left to rightacross a trace.

FIG. 8D shows an exemplary embodiment in which a Fibonacci number-basedupdate moving from one trace to the next is used to address theaforementioned deficiencies in updating by squaring across a trace.

Updating by a value R across the calculation requires a second inverse−(X, R, I_(inverse)) remote. However, (X, R, I_(p11), I_(p12)) may berequired if the update proceeds by a number of different ways. Theequation for the above depends on how R is used. For example, if it onlyinvolves multiplying by R's, then the result of the calculation is givenby C^(d)*X^(10101 . . . 01)*R to the respective exponent.

As shown in FIG. 8D, the updated values also updates R. X and R arefirst multiplied in the first update, and R is also updated by squaringto become R² after the first update. After the k^(th) update,R^(k)=R_(o) ^(k), and the mask is given by mask_(k)=XR_(o) ^(k−1). FIG.8D shows the values for mask_(k) for the first four values of X,corresponding to the results of XR²⁻¹, XR⁴⁻¹, XR⁸⁻¹, XR¹⁶⁻¹,respectively.

In some embodiments, the value is multiplied by R before the update bysquaring. The update by squaring also squares the value to produce R².At the end of the update by squaring, the updated value is multiplied by1/R to produce R again. This is to eliminate the squaring correlation(from R->R²) to prevent cross-correlation attacks. Thus, in theseembodiments, in addition to the regular update by squaring, there aretwo additional multiplies to be performed (the first multiply is by R,and the second multiply is by 1/R). The exponent after the j^(th) updateis X^(2j)R^(2j−1). Also, because the power of X (i.e. 2j) and the powerof R (i.e. 2j−1) always differ by 1, the two numbers will be relativelyprime to each other.

In some embodiments, the updated step proceeds from left to right bymethods other than squaring. For example, squaring the composite byadding in R can mitigate the correlation problem associated withsquaring.

As noted previously, the string of multipliers from left to right acrossthe computation (n^(j)) and string of multipliers through a long set oftraces (n^(i)) can cause the system to be vulnerable to doubling attacksif any of the i-j pairs match up. To counter the doubling attacks, thesystem may require additional countermeasures in addition to a maskupdate by squaring.

In some embodiments, the mask update by squaring can also includeincreasing the number of clusters. In some of these embodiments, thenumber of clusters can be increased (doubled) by switching the signs ofthe parameters (positive to negative, and vice versa). In some otherembodiments, the number of clusters can be increased (doubled) byswitching the left hand side and right hand side multiplicands. Theadvantage is that the increase in the number of clusters in each of theabove cases does not require an increase in the amount of memory.

In addition, increasing the number of clusters may allow fewer updatesteps to be used during the computation. For example, the frequency ofupdate can be based on the number of items in each cluster. For a tablecontaining four entries, the four multipliers will give rise to fourclusters. However, if the signs (positive/negative) and parameter sides(left-hand-side/right-hand-side) are switched, this can produce sixteenclusters for every four entries in the table, which means that forsixteen multipliers, an attacker may likely observe only one item percluster on average. This can also mean that some of the clusters havetwo items in each cluster, and some of the clusters will have no items,which creates confusion for the attacker.

Since the update step varies with the length of the original table, itmay be preferable to have other methods of creating more update tablesor creating more clusters that are not proportional to the length of theoriginal table. If the size of the table increases, the size of theupdate step will also increase.

Cryptographic Device

FIG. 9 shows the application of principles described herein embodied ina device (900). For convenience, depending on context, the referencenumerals may refer to steps in a process, and/or to quantities used (orproduced) by such process steps. As shown in FIG. 9, in at least oneembodiment, a device 900 comprises nonvolatile memory 901, at least oneprocessor 902, at least one instruction and data cache 903,cryptographic hardware 904, and an input/output interface 908.

Nonvolatile memory (NVM) 901 can include ROM, PROM, EPROM, EEPROM,battery-backed CMOS, flash memory, a hard disk, or other such storagethat can be used to store a key and/or other information, as needed toimplement the various embodiments described herein.

Processor 902 may be, for example, a single or multiple microprocessors,field programmable gate arrays (FPGAs), or digital signal processors(DSPs) capable of executing particular sets of instructions.

Cache 903 is local memory within the device or chip. For example, cache903 may be on-chip memory that temporarily stores data or instructionsoperated on by processor 902.

Input/output interface 908 is software or hardware the provides thedigital signature to other components for further processing.

Crypto 904 may be, for example, hardware, software, or a combination ofhardware and software, that performs cryptographic functions. Crypto 904may comprise, for example, a module 905 for storing math libraryroutines such as ModExp routines and other cryptographic algorithms(e.g. Chinese Remainder Theorem).

Crypto 904 may further comprise, for example, high level hardware 906and low level hardware 907. Hardware can generally be described atdifferent abstraction levels, from high-level software-like environmentsto low-level composition of electronic building blocks. Typically, thehigher levels are only concerned with functional aspects, while thelower levels take more physical aspects into account.

In some embodiments, low level hardware 907 may comprise an 8-bitmultiplier in the form of a chip. The 8-bit multiplier is capable ofmultiplying inputs to the system. Inputs may, for example, comprise8-bit words. The 8-bit multiplier may also have a property whereby themultiplier consumes less power when certain computed bits are the same.The 8-bit multiplier may also have corresponding less power leakage whenit consumes less power. Based on the power consumption profile andleakage of the multiplier during multiplication, it may be possible todetermine where the same bits are located and the respective bits(either 1 or 0).

In some embodiments, low level hardware 907 may comprise a higher bitmultiplier at a microcode level. For example, the higher bit multipliermay comprise a 16-bit or a 32-bit multiplier that is built from 8-bitmultipliers, with the 16-bit or 32-bit multiplier located at themicrocode level.

In some embodiments, high level hardware 906 may comprise a 512-bitmultiplier built from 32-bit multipliers located at the microcode level.The 512-bit multiplier can be used to multiply two 512 bit inputparameters to output a 1024 bit parameter that is twice the input 512bit parameter. Alternatively, an inter-weave reduction may be performedin an intermediate module, which produces an output of the same size asthe original 512 bit input parameter.

In some embodiments, multiplication operations may be performed usingsoftware in module 905, which may comprise a high level math librarydatabase. For example, the math library database may include a ModexProutine and a top level cryptographic algorithm, such as RSA. The RSAcan be masked at a high level by blinding the inputs and a numbercomputed by multiplying the blinded inputs. At the end of thecomputation, the computed number can be unmasked by multiplying with aninverse parameter. The inverse parameter in RSA is a function of thesecret key and can be computed using the secret key. A similar secretkey may also be used in the ModexP routine. However, computing theinverse parameter using a secret key in ModexP may add new features tothe system. Hence, computing an inverse mask may be faster at the toplevel RSA than at the ModexP level.

The top level RSA can also compute the inverse mask using only thepublic parts of the key. The inverse mask may be computed more quicklyusing the public key than the secret key, without greater risk ofleakage.

In some embodiments, it may be preferable to implement the securitycountermeasures in the present disclosure at low level hardware 907,which allows greater control and flexibility by the user. This isbecause when security requirements are moved to the top level (such asmodule 905 or high level hardware 906), there may be limited flexibilityin modifying the RSA routine. For example, a smart card manufacturer maynot be able to readily modify the RSA routine, because the RSA routineis written in a software such as JavaCard that is provided by a thirdparty supplier.

Thus, in some embodiments, security countermeasures in the form of amasking method may preferably be implemented at low level hardware 907.At low level hardware 907, the unmasking parameter may not need todepend on the secret key and the modulus. Nevertheless, even if there isa modulus line, the squares of the modulus may still be computed usingthe squares of the masking parameter with the modulus, without leakingmuch information about the modulus.

Implementing the security countermeasure at low level hardware 907 (atthe microcode level) may also provide other benefits. In some devices, acountermeasure may not be necessary when device 900 is first used.However, after the hardware has been used over time and the hardware isstill running on the original microcode, power leakages may arise thatcan compromise the secret key in SPA and DPA attacks. A countermeasureat the microcode level may address the above problems.

As those skilled in the art will appreciate, the techniques describedabove are not limited to particular host environments or form factors.Rather, they can be used in a wide variety of applications, includingwithout limitation: cryptographic smartcards of all kinds includingwithout limitation smartcards substantially compliant with ISO 7816-1,ISO 7816-2, and ISO 7816-3 (“ISO 7816-compliant smartcards”);contactless and proximity-based smartcards and cryptographic tokens;stored value cards and systems; cryptographically secured credit anddebit cards; customer loyalty cards and systems; cryptographicallyauthenticated credit cards; cryptographic accelerators; gambling andwagering systems; secure cryptographic chips; tamper-resistantmicroprocessors; software programs (including without limitationprograms for use on personal computers, servers, etc. and programs thatcan be loaded onto or embedded within cryptographic devices); keymanagement devices; banking key management systems; secure web servers;electronic payment systems; micropayment systems and meters; prepaidtelephone cards; cryptographic identification cards and other identityverification systems; systems for electronic funds transfer; automaticteller machines; point of sale terminals; certificate issuance systems;electronic badges; door entry systems; physical locks of all kinds usingcryptographic keys; systems for decrypting television signals (includingwithout limitation, broadcast television, satellite television, andcable television); systems for decrypting enciphered music and otheraudio content (including music distributed over computer networks);systems for protecting video signals of all kinds; intellectual propertyprotection and copy protection systems (such as those used to preventunauthorized copying or use of movies, audio content, computer programs,video games, images, text, databases, etc.); cellular telephonescrambling and authentication systems (including telephoneauthentication smartcards); secure telephones (including key storagedevices for such telephones); cryptographic PCMCIA cards; portablecryptographic tokens; and cryptographic data auditing systems.

Some of the methods performed by the device may be implanted usingcomputer-readable instructions can be stored on a tangiblenon-transitory computer-readable medium, such as a flexible disk, a harddisk, a CD-ROM (compact disk-read only memory), and MO(magneto-optical), a DVD-ROM (digital versatile disk-read only memory),a DVD RAM (digital versatile disk-random access memory), or asemiconductor memory. Alternatively, some of the methods can beimplemented in hardware components or combinations of hardware andsoftware such as, for example, ASICs, special purpose computers, orgeneral purpose computers.

All of the foregoing illustrates exemplary embodiments and applicationsfrom which related variations, enhancements and modifications will beapparent without departing from the spirit and scope of those particulartechniques disclosed herein. Therefore, the invention(s) should not belimited to the foregoing disclosure, but rather construed by the claimsappended hereto.

1.-32. (canceled)
 33. A system comprising: at least one processor; and anon-transitory computer-readable medium having instructions storedthereon that, when executed on the processor, asymmetrically masks acryptographic operation to improve resistance to third party attacks bybeing configured to perform the steps of: receiving at least one inputvalue; defining a left-hand-side (LHS) parameter using at least one ofthe input values; defining a right-hand-side (RHS) parameter using atleast one of the input values; calculating a plurality of intermediatevalues, including a first intermediate value based on the LHS parameterand a second intermediate value based on the RHS parameter, wherein atleast one of the first intermediate value and the second intermediatevalue is calculated based on a mask value; and applying a fix value toat least one of the plurality of intermediate values to generate anoutput value comprising a multiplication product of at least oneunmasked value of the input value used to define the LHS parameter orthe RHS parameter.
 34. The system of claim 33, wherein the input valueused to define the LHS parameter is different from the input value usedto define the RHS parameter, and wherein the output value comprises amultiplication product of the input value used to define the LHSparameter and the input value used to define the RHS parameter.
 35. Thesystem of claim 33, the instructions further being configured tocalculate a second mask value and to use the second mask value tocalculate at least one of the plurality of intermediate values.
 36. Thesystem of claim 33, wherein the instructions for asymmetrically maskingthe cryptographic operation makes a squaring operation appear to be anon-squaring multiplication operation to a third party attack.
 37. Thesystem of claim 33, the instructions further being configured todetermine whether the cryptographic operation comprises a sequence ofsquaring and multiplication operations.
 38. The system of claim 37,wherein the instructions further being configured to determine an inputof a second squaring or multiplication operation in the sequence ofsquaring or multiplication operations based on an output of a firstsquaring or multiplication operation in the sequence of squaring ormultiplication operations.
 39. The system of claim 37, wherein theinstructions are further configured to mask an input of a first squaringor multiplication operation in the sequence of squaring ormultiplication operations, an output of the first squaring ormultiplication operation, and an input of a second squaring ormultiplication operation in the sequence of squaring or multiplicationoperations by the mask value.
 40. The system of claim 37, wherein theinstructions are further configured to apply a first mask operationbetween a multiplication and a squaring operation in the sequence ofsquaring or multiplication operations, and to apply a second maskoperation between two squaring operations in the sequence of squaring ormultiplication operations.
 41. The system of claim 40, wherein a thirdmask operation is applied between a squaring operation and amultiplication operation in the sequence of squaring or multiplicationoperations.
 42. The system of claim 33, wherein the asymmetricallymasking converts a squaring operation into a series of multiplicationoperations.
 43. A method comprising: asymmetrically masking acryptographic operation to improve resistance to third party attacks by:receiving at least one input value; defining a left-hand-side (LHS)parameter using at least one of the input values; defining aright-hand-side (RHS) parameter using at least one of the input values;calculating a plurality of intermediate values, including a firstintermediate value based on the LHS parameter and a second intermediatevalue based on the RHS parameter, wherein at least one of the firstintermediate value and the second intermediate value is calculated basedon a mask value; and applying a fix value to at least one of theplurality of intermediate values to generate an output value comprisinga multiplication product of at least one unmasked value of the inputvalue used to define the LHS parameter or the RHS parameter.
 44. Themethod of claim 43, wherein the input value used to define the LHSparameter is different from the input value used to define the RHSparameter, and wherein the output value comprises a multiplicationproduct of the input value used to define the LHS parameter and theinput value used to define the RHS parameter.
 45. The method of claim43, further comprising calculating a second mask value and using thesecond mask value to calculate at least one of the plurality ofintermediate values.
 46. The method of claim 43, wherein theasymmetrically masking the cryptographic operation makes a squaringoperation appear to be a non-squaring multiplication operation to athird party attack.
 47. The method of claim 43, further comprisingdetermining whether the cryptographic operation comprises a sequence ofsquaring and multiplication operations.
 48. The method of claim 47,further comprising determining an input of a second squaring ormultiplication operation in the sequence of squaring or multiplicationoperations based on an output of a first squaring or multiplicationoperation in the sequence of squaring or multiplication operations. 49.The method of claim 47, further comprising masking each of an input of afirst squaring or multiplication operation in the sequence of squaringor multiplication operations, an output of the first squaring ormultiplication operation, and an input of a second squaring ormultiplication operation in the sequence of squaring or multiplicationoperations by the mask value.
 50. The method of claim 47, furthercomprising applying a first mask operation between a multiplication anda squaring operation in the sequence of squaring or multiplicationoperations, and applying a second mask operation between two squaringoperations in the sequence of squaring or multiplication operations. 51.The method of claim 50, wherein a third mask operation is appliedbetween a squaring operation and a multiplication operation in thesequence of squaring or multiplication operations.
 52. The method ofclaim 43, wherein the asymmetrically masking converts a squaringoperation into a series of multiplication operations.